[UNLOCK][ROOT][TWRP][UNBRICK][...] FireTV 2nd gen Cube (raven)

Search This thread
By:
Advanced…
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
Functioner said:
I managed to get my raven in a state that even DFU can't fix. The ./amlogic-usbdl image boots ok via DFU, but any of the ./update bl2_boot images eventually result in this
Click to expand...
Click to collapse
I'm not totally sure what changes you were making, but I don't recommend editing the reserved partition if that's what it was.

I have an old bootloader that I made that exits into fastboot mode a little bit earlier than the bootloaders included in the OP. Let me know if that gets you past the crash, in which case I can compile one to dump you into update mode instead.

If you want to flash the magisk patched boot image to the Cube, you need to create a new patched image with Magisk Manager, and leave both recovery and vbmeta unchecked. Also, if you don't have a bootloader exploit to bypass verified boot, the bootloader will always reject modified boot images, which is the signature check fail you are seeing.
 

Attachments

  • bootloader.early_exit.img
    1.6 MB · Views: 7
  • Like
Reactions: Functioner
Functioner

Functioner

Member
Jan 16, 2023
23
6
Pro-me3us said:
I have an old bootloader that I made that exits into fastboot mode a little bit earlier than the bootloaders included in the OP. Let me know if that gets you past the crash, in which case I can compile one to dump you into update mode instead.
Click to expand...
Click to collapse

Yes! That did it...

Code: 
vpu: set clk: 666667000Hz, readback: 666666667Hz(0x100)                         
vpu: vpu_module_init_config                                                     
vpp: vpp_init                                                                   
vpp: g12a/b osd1 matrix rgb2yuv ..............                                  
vpp: g12a/b osd2 matrix rgb2yuv..............                                   
vpp: g12a/b osd3 matrix rgb2yuv..............                                   
USB3.0 XHCI init start                                                          
detect ID pin : Device mode  , r5.b.iddig_curr=1nboard_usb_stop cfg: 2          
hpd_state=0                                                                     
Info: logoparam_getvalue: get succeed: key: logoparam.var.hdmi_mode, value: null
do_hpd_detect: hdmimode=null                                                    
Info: logoparam_getvalue: get succeed: key: logoparam.var.hdmi_colorattr, valuet
do_hpd_detect: colorattribute=rgb,8bit                                          
Info: logoparam_getvalue: get succeed: key: logoparam.var.hdmi_crcvalue, value:0
Info: logoparam_getvalue: get succeed: key: logoparam.var.hdmi_mode, value: null
no sink, fallback to 720p60hz[4]                                                
g_dnl_register: g_dnl_driver.name = usb_dnl_fastboot                            
                                                                                
USB RESET                                                                       
SPEED ENUM                                                                      
                                                                                
USB RESET                                                                       
SPEED ENUM 
.

Thanks much! I was actually trying to generate certain failures during my efforts to obtain persistent root. I see a path that I'm working on.

All of the memory locations used by your bootloader, like, for example, the devicetype location patch;

77d7c850: 00 00 2b 91
14 00 00 1b

Are different on the native bootloader, which is what I'll have to patch in order to do persistent. So, I was trying to sort out all of the native bootloader patch locations. And learn other stuff too.

I can get back to work now without having to spend time compiling a bootloader. Thanks again!
 
Functioner

Functioner

Member
Jan 16, 2023
23
6
Pro-me3us said:
If you want to flash the magisk patched boot image to the Cube, you need to create a new patched image with Magisk Manager, and leave both recovery and vbmeta unchecked.
Click to expand...
Click to collapse

The boot image has no ramdisk. If a recovery style patch isn't used, will magisk still add a ramdisk to a boot image lacking any native ramidsk?
 
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
Functioner said:
Yes! That did it.
Click to expand...
Click to collapse
Glad it worked, here's a new bootloader that exits early and drops you in update. And a zipped copy of the reserved partition if you need it. To disprotect the reserved partition ./update bulkcmd 'amlmmc key'

Functioner said:
The boot image has no ramdisk. If a recovery style patch isn't used, will magisk still add a ramdisk to a boot image lacking any native ramidsk?
Click to expand...
Click to collapse
Typically if a device boot image doesn't include a ramdisk, the device won't use it if it's added. There are exceptions to this like certain Xiaomi devices and the 2nd gen Cube (probably other Amlogic boxes too).
 

Attachments

  • bootloader.early-exit-update.img
    1.6 MB · Views: 7
  • reserved.zip
    138.1 KB · Views: 5
Last edited:
Functioner

Functioner

Member
Jan 16, 2023
23
6
The FireFU exploit has the advantage of being able to intercept u-boot prior to execution, patch the changes, and then jump to the patched u-boot.

The entry vector that I'm using can only make hot patches after u-boot has already initialized everything. The same FireFU exploits won't work in this case. I'll need to use different patches.

Next thing I'm trying is disassembly of the native bootloader's u-boot.bin. I don't think I can easily get the equivalent from amazon's source code. I worry though that a hot patch to another memory address won't be at a fixed address, like the u-boot.bin code.
 
Last edited:
Functioner

Functioner

Member
Jan 16, 2023
23
6
Would it be much trouble for you to build a bootloader that uses u-boot from PS7229/1856N, and has no exploit patches other than enabling unrestricted u-boot shell access? Somewhere in the github Raven_Bootloader_Builder section, you noted that the newer versions wouldn't build, or that bootm didn't work, but the latter wouldn't matter.

Edit: may not need another bootloader. Having some success with hot patches to sig check function (rsa_verify_hash.c)

Is the ARB value entirely repurposed for determining the production/engineering device status, or does it also enforce anti-rollback of the flashed bootloader?
 
Last edited:
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
Functioner said:
build a bootloader that uses u-boot from PS7279/1856N, and has no exploit patches other than enabling unrestricted u-boot shell access
Click to expand...
Click to collapse
This bootloader is compiled from the PS7229 open source. Only amzn_lockdown.c was edited to remove the u-boot command blacklist. I don't have uart hooked-up to test it, but it should work.

After the release of the source for PS7204, Amazon added more of their UFBL code to the subsequent bootloader source releases. I could not get Fastboot boot to work on the later versions. I don't know if there was a check that I failed to find and patch, or if the source is just incomplete. After PS7229, the later bootloader source fails to even compile.
Functioner said:
is the ARB value entirely repurposed for determining the production/engineering device status, or does it also enforce anti-rollback of the flashed bootloader?
Click to expand...
Click to collapse
I assume it's also used to enforce downgrades of the bootloader. I think it's still up to the vendor (Amazon) to choose to set it in the bootloader. There is no downgrade restriction from PS7242/3516 going down to PS7204. Amazon may have triggered it in one of the 3 bootloader updates since PS7242/3516.
 

Attachments

  • bootloader.7229-1853.u-boot-unlock.img
    1.6 MB · Views: 7
Last edited:
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
If you can disable the boot image signature verification, that's probably the most important thing. Setting the device to ARB=0 or engineering mode, may be required too. Engineering mode will enable the fos flags that include disable dm-verity and ADB root. But disabling dm-verity and root with fos flags isn't needed, the magisk-patched boot image can take care of that.
 
Last edited:
Functioner

Functioner

Member
Jan 16, 2023
23
6
Pro-me3us said:
If you can disable the boot image signature verification, that's probably the most important thing.
Click to expand...
Click to collapse

I agree. There's the amlogic verification "aml log : Sig Check -1" (which, oddly, amlogic abandoned after android 9), and the amazon certificate verification. Engineering device mode probably won't overcome the amlogic signature verification, but will give full IDME.
 
Functioner

Functioner

Member
Jan 16, 2023
23
6
Pro-me3us said:
After the release of the source for PS7204, Amazon added more of their UFBL code to the subsequent bootloader source releases. I could not get Fastboot boot to work on the later versions. I don't know if there was a check that I failed to find and patch, or if the source is just incomplete.
Click to expand...
Click to collapse

This is what I believe will be the key to the possibility of persistent root. If, with free rein of arbitrary bootloader modifications, you were unable to get bootm (fastboot boot) to boot a modified boot image on these later versions, then we are stuck. We have to hope the source was bad or that you missed a patch.

Did you only try fastboot boot, or also bootm directly? A boot image can also be loaded to the loadaddr using update:

update mwrite boot.img mem 0x1080000 normal
update bulkcmd 'bootm 0x1080000'
 
Last edited:
Functioner

Functioner

Member
Jan 16, 2023
23
6
GOT IT! Can boot a modified image!

I'll get a PoC package together within the next 24 hours and DM the details on discord.

Edit: Confirmed that fastboot boot also works with this single byte patch, so long as fastboot is invoked from the same boot session as when the patch was made. Actually flashing the modfied boot image to the boot partition on the emmc will probably require another patch, since engineering mode is not enabled.
 
Last edited:
  • Like
Reactions: Sus_i and Pro-me3us
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
I was looking back at the source for 7229 today. Booting images through fastboot and update both halt at the same point. I can see what the problem is. in 7229 the uboot command rsvmem is missing, and this is called during the mboot, and then halts when it can't use that command. the cmd_rsvmem file is included with 7229, but typing help in uboot, I can see it's missing.

The source that Amazon posts is just so full of mistakes it's ridiculous. I might be able to find out what is the cause for the exclusion of that command, but it sounds like you may not need it.

Is the single edit you are making just an unlock? and that's enough to remove the signature check?

Very good work! I'm glad to finally see a solution for this on the horizon :)
 
Functioner

Functioner

Member
Jan 16, 2023
23
6
With the patch in effect, I see this before it boots the modified image:

[rsvmem] no check for rsvmem, should check int kernel

But then it continues to boot fine. Yes, all that is done is a single byte patch to the unlock code. It's just a matter of hunting the other patches down though, although even this is completely fine for most uses.

Do you have a raven device with the 7229/1856N native bootloader? The patch address is bootloader dependent. Even the 7229/1853 that you complied earlier is at a different address. What is the newest bootloader that can be used w/o losing DFU?

Edit: uboot help shows rsvmem in the command list on the native 7229/1856N bootloader. Executing rsvmem gives the same result as shown during boot:

rsvmem
no check for rsvmem, should check int kernel

So i guess it is just missing in the source code.
 
Last edited:
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
Functioner said:
[rsvmem] no check for rsvmem, should check int kernel
Click to expand...
Click to collapse
This is the correct message, and indicates that cmd_rsvmem is present.
Functioner said:
Do you have a raven device with the 7229/1856N native bootloader? The patch address is bootloader dependent. Even the 7229/1853 that you complied earlier is at a different address. What is the newest bootloader that can be used w/o losing DFU?
Click to expand...
Click to collapse
Bootloaders aren't changed often. I've only seen 6 versions since the Cube was released.
PS7204->PS7212/1333 same
PS7229/1853+1856 are the same
PS7242/2906-PS7242/3516 same

These are the 3 bootloaders before the eFuse is triggered, then there are 3 after. I've tested PS7242/3516 with the latest firmware, it's the last safe one to use as far as I can tell.

One thing to keep in mind. When the bootloader is flashed to the Cube it's offset by 512 bytes. Depending how you extract the bootloader, that 512byte lead may or may not be present.

7229/1853+1856 are the same from what I remember. I have a copy of each if needed
 
Last edited:
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
I found the issue with rsvmem and fixed it. PS7229 now boots to FireOS, but I don't know if it makes any difference once you get into FireOS what bootloader version was used. This PS7229 was an old testing version, and I made a number of patches, probably a bunch of redundant ones. If you need I can try to make single patches to give you an idea where certain settings/attributes are.
 

Attachments

  • bootloader.7229-1853.update.img
    1.6 MB · Views: 8
P

p0werpl

Senior Member
Aug 30, 2021
69
8
Functioner said:
GOT IT! Can boot a modified image!

I'll get a PoC package together within the next 24 hours and DM the details on discord.

Edit: Confirmed that fastboot boot also works with this single byte patch, so long as fastboot is invoked from the same boot session as when the patch was made. Actually flashing the modfied boot image to the boot partition on the emmc will probably require another patch, since engineering mode is not enabled.
Click to expand...
Click to collapse
From what I understand, root is not persistent? Does the FTV have to be tethered to the DFU entry device at fresh boot?
 
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
69
61
Updated the OP with a new version of the Raven boot package. A BIG THANK YOU to @Functioner for getting the root to persist through reboots!

There is now a new bash menu option to root your 2nd gen Cube, with all features working. Make sure that after running the root menu option that Magisk and TWRP are present & functional, because they are both needed to provide an extra layer of protection from accidental Amazon OTA updates. It goes without saying, only update your firmware through TWRP!

DFU access is still needed to apply the new patch, so this will only work on Cubes with firmware older than PS7273 (or that still have USB DFU access). Anyone with a Cube past PS7273, I'd recommend blocking updates now on PS7624, FireOS is only going to get more locked down in future updates.

Any new sealed 2nd gen Cube is guaranteed to come with firmware PS7229 or older and can be fully rooted. Unfortunately new 2nd gen Cubes are getting harder to find fast.
 
Last edited:
  • Like
Reactions: Michajin, JJ2017 and Sus_i
JJ2017

JJ2017

Senior Member
Jan 7, 2017
91
52
Huawei P20 Pro
Many thanks @Pro-me3us for this - good to see some progress on this device.

.... However, I've run into some problems using RAVEN2. I had previously installed the RAVEN exploit and everything was fine. I ran option 1 (in RAVEN2) for persistent root and (as SU) the script seemed to run without issue. But now the device wont boot beyond the initial boot screen. Since then every change I've made (e.g. flashing newer firmware (was on 7229/1856), wiping data in TWRP and flashing boot.img in fastboot) has only made the situation worse!

Is there any way to return to stock & restart the process? I've not updated the bootloader - the exploit still works & I can still access TWRP. But now firmware updates in TWRP are no longer working - the device won't progress beyond boot screen & I'm now stuck in bootloop :confused: Any ideas?
 
You must log in or register to reply here.

Similar threads

K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)
Replies
2K
Views
338K
S
sgnmx
K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)
Replies
2K
Views
429K
R
rahulbmg
K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 3 and Fire TV Stick Lite (sheldon/p)
Replies
718
Views
119K
lionleggend
lionleggend
R
[UNLOCK][ROOT][TWRP][UNBRICK] FireTV 2 (sloane)
Replies
636
Views
63K
Jordan23Anderson
Jordan23Anderson
R
FireTV 1 (bueller) Full Bootloader Unlock
Replies
130
Views
97K
T
T1g3rbl000d

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 13
    Pro-me3us
    Pro-me3us
    RavenMenuV2.png

    Raven Boot v2.0 now includes persistent root. A huge thank you to @Functioner for getting it working! This package includes unrestricted U-Boot, fastboot & Amlogic burn mode commands, as well as TWRP and Magisk support. The Raven boot tool includes options to root your Cube, gain temporary root access without modifying your device, and a number of options for recovery and backup.



    Setup-01.jpeg


    NOTE: FireOS < 7.2.7.3 required

    NOTE: This process does not require you to open your Fire TV 2nd gen Cube

    Changelog:
    v2.1 February 18th, 2023​
    • Updated TWRP v3.6.1-9-0 ---> v3.7.0-9.0
    • Fixed problem with TWRP not always displaying all the partitions under 'Mount/Backup'
      • Always mounts 'Internal Storage' to /sdcard now
    • Fixed bash menu to always use the included fastboot binary
    • Cube's physical buttons can be used on bootup
      • Volume Up ---> Fastboot
      • Volume Down ---> TWRP recovery
      • Action button ---> Amlogic Update
    **Hold down button for ~5sec after power-on, and before the blue LEDs / 1st Amazon logo​
    v2.0 February 9th, 2023​
    • Root is now persistent, does not require computer after every reboot
    • One click option to install root access, TWRP, Magisk & OTA blocker module
    • Magisk updates
      • Zygisk is working (July 1st, 2022)
      • Magisk can be installed from TWRP or direct installed from within Magisk Manager
      • Created module to block Amazon OTA updates via etc/hosts and hiding the OTA apk
      • updated quick access images to Magisk v25.2
    • TWRP updates
      • Bootloader flashing is blocked, so that full OTA firmware bins can be easily flashed (tested up to PS7624/3337)
      • Removed firmware downgrade checks & warnings
      • Added NTFS support for flash drives within TWRP
    • Added options to backup entire reserved partition, and mmcblk0boot0 & mmcblk0boot1 boot partitions in Amlogic update
    • Added emergency boot to Fastboot/Update modes
    v1.0 May 15th, 2022​
    • Temporary unrestricted fastboot, u-boot & update commands
    • Boot with root access or Magisk support
    • Boot to TWRP for backup & recovery
    • Backup Cube using Amlogic Update


    What's needed:
    • linux installation or live-system (Ubuntu 20+ recommended)
    • micro-USB cable
    • device to put Cube into device firmware upgrade (DFU) mode [read below]
    equipment1.jpeg



    libusb is needed for your linux installation to detect the Cube over USB.
    • sudo apt-get install libusb-1.0-0
    To automatically set the proper udev rules for Amlogic install Khadas utils:
    1. sudo apt-get install libusb-dev git
    2. sudo apt-get install git
    3. git clone https://github.com/khadas/utils
    4. cd utils
    5. ./INSTALL


    ***NOTE: If you previously installed Magisk on your Cube from raven_boot v1.0, first run adb shell rm /data/adb/magisk.db to prevent any conflicts with the new Magisk version.

    Instructions
    1. Download raven_boot_v2.0.zip and unzip it. Open a terminal window from the unzipped raven_boot directory

    2. Power off the Cube and connect your DFU device to the Cube's HDMI port. Connect the USB cable (microUSB to USB-type A) to computer & Cube

    3. Power on the Cube, type lsusb in the terminal to confirm ID 1b8e:c003 Amlogic, Inc. is present, indicating the Cube is in DFU mode

    4. Unplug the DFU device from the HDMI port, reconnect the Cube to TV with HDMI cord. Keep the computer connected.

    5. In the terminal type bash menu, and choose option 1) to automatically root the Cube.
    To preserve the Cube's persistent root, be sure to confirm that both TWRP & Magisk are installed.

    Quick Access
    For options 2) and 3) to gain temporary root, download the images zip file that corresponds to your current FireOS version, and unzip the contents into raven_boot/images directory.​
    For Cubes running FireOS 7242/2896 or later get ---> images_7242-2906_v2.0.zip​
    For FireOS versions 7201/942 to 7242/2216 get ---> images_7229-1853_v2.0.zip​

    magisk.png
    root_access.png

    Magisk v25.206 is included with Raven boot, it's recommened that you use this version or newer. For instructions on how to update your firmware and keep root access, read here


    About the exploit
    This exploit is based on a vulnerability in the Amlogic bootrom that allows for us to run unsigned code in the next boot stage (Bl2). To pause the automatic boot up process, before the Cube's saved Bl2 is loaded, we rely on Amlogic's device firmware upgrade mode (DFU). In DFU, only the boot code from the Amlogic s922x SOC (Bl1) has been loaded into memory. We then use the vulnerability to load our modified Bl2, breaking the 'chain of trust', and disabling secure boot so that we can make modifications to the bootloader downstream. The last stage of the bootloader is U-boot (Bl33) which hands off the startup process to the kernel (boot.img). U-boot is modified to unlock any restrictions on u-boot and fastboot commands, giving us full access to system features. We can then use fastboot boot to load our modified boot images (TWRP, magisk-patched boot.img), into memory without modifying the Cube's eMMC.

    Visit GitHub for a more in depth write-up and resources used in this project

    Contributors
    @Functioner
    @Zenofex
    @npjohnson
    @zeewox
    @Pro-me3us

    Additional thanks to
    @tchebb - a bottomless encyclopedia of Amlogic knowledge, answering countless questions & troubleshooting
    @roligov - providing photos, additional FireOS updates, and testing
    @osm0sis, @canyie, @vvb2060 & @yujincheng08 - the Magisk team for being awesome, troubleshooting and making a number of code changes to get all features working on the Cube
    @k4y0z - helping troubleshoot some TWRP and Magisk issues
    View
    4
    Pro-me3us
    Pro-me3us
    EDIT: This procedure has been revised, please follow the instructions here

    Flashing OTA Firmware with TWRP
    To upgrade the Cube firmware past PS7273+ and keep this exploit working, we need to avoid flashing any bootloader version newer than PS7242/3516. The following procedure removes the bootloader flashing instructions from the OTA firmware, so that everything but the bootloader is updated. After updating, the Cube will still boot normally with or without the exploit loaded. Tested & working up to PS7614/3227.

    Modify the firmware:
    1) Download 2nd gen Cube full firmware (XDA or Github), change extention .bin to .zip, and open the file.

    2) Open /META-INF/com/google/android/updater-script in a text editor, delete the following block of code:
    Code: 
    # Bootloader
if (getprop("ro.boot.secure_cpu") == "0")
then
    ui_print("Copying bootloader for non secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin"), "bootloader");
else
    ui_print("Copying bootloader for secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin.signed"), "bootloader");
endif;

    3) Save modified updater-script to the firmware .zip.


    TWRP Flashing procedure:
    1) Boot Cube into TWRP with the bash menu script [Option (3, Suboption (1].
    Code: 
    adb push <firmware-filename.zip> /sdcard
adb shell
twrp install <firmware-filename.zip>
    Done! reboot

    *2) Flashing can also be done through the TWRP gui using the 'install' button if you prefer


    IMPORTANT: Keep system updates blocked, and only flash firmware through TWRP using this procedure. Firmware upgrades don't require wiping data/cache/dalvik, but if you are downgrading firmware, wiping data may be advisable.


    Note: Amazon added package protection in +PS7273. To remove this, boot into FireOS with root access, edit /data/system/PackageManagerDenyList, delete the list of applications, and save.

    The list of protected applications will be regenerated after every reboot (obtained from Amazon server), to prevent this:
    Code: 
    adb shell pm disable-user com.fireos.arcus.proxy

    Custom launcher use, and the ability to disable/enable any system app will work when booting with or without the exploit.
    View
    4
    D
    Deleted member 11959327
    goapy said:
    Otherwise I'll modify the sot23 version that I have coming tomorrow, replacing the sot23 at24cs02 with an 8-lead version that I can pull from some waste board.
    Click to expand...
    Click to collapse

    I did ^this^ because the 8-lead version that I ordered still hasn't arrived yet. See before/after images below. It was a success and I was able to get the exploit running.

    While swapping out the eeprom, I noticed that the ddc (display data channel) pair of lines was terminated in the plug, even though this edid emulator device supports passthrough. The ddc pair carries at least two kinds of data, edid and hdcp.

    Presumably ddc is terminated because otherwise there would be a serial wire device conflict on the i2c bus at address 0x50, since both the edid emulator device and the sink would each have a eeprom (or prom) at that address.

    But since for dfu usage the address is changed to 0x52, I figured the ddc lines could be reconnected and the 0x52 serial device could just ride on a passthrough i2c bus. So, I wired the sda and scl lines as passthrough lines.

    I hoped that this would mean that I could repeatedly use the exploit over time without swapping hdmi connections for every reboot. And it does do that. But it also takes a power cycle in order boot to dfu mode from an actively running OS. Booting any of the other images, such as fastboot, twrp, etc., do not require a power cycle and reboot straight to dfu mode with the passthrough device installed.

    So, it is still more convenient to just cycle power rather than swap hdmi plugs.

    As far as testing the exploit itself, I've only spent an hour so far. The included magisk patched boot image does work, although when I tried to boot a magisk patched boot image that I patched myself (using the original image on the device as a source), it did not boot. All of the provided boot images do work, and are all very useful.
    View
    3
    Pro-me3us
    Pro-me3us
    I'll see if I can simplify things any further. I tried to find a way to have TWRP automatically skip over the Bootloader code, but there is no simple solution.

    I made a minor TWRP edit that should avoid and date/downgrade warnings, put the image in raven_boot/images.

    Lastly I made an updated magisk patched boot image using the kernel from PS7614/3227 since there have been +10 updates since PS7242/2906 (still worked fine with PS7614/3227 anyways). It's probably about time to make a new version of the OP files, I was just waiting on the next release of Magisk.

    I've been able to both upgrade and downgrade. I'm testing PS7614/3227 now, and as far as I can tell everything is working without any problems.

    PS if anyone is running a firmware below PS7273 and not one of the following, please backup your unit and let me know for the archive:
    PS7212/1333
    PS7229/1853
    PS7229/1856
    PS7242/2906
    PS7242/3516
    View
    3
    Pro-me3us
    Pro-me3us
    JJ2017 said:
    Hi, I could do with some help regarding Magisk.
    The original (May'22) version installs OK but it's not fully functional.
    The July update with working modules (from post#21) won't update and install: when I try to run it - and it asks to update - I just get 'downloading Magisk' spinning wheel.
    Click to expand...
    Click to collapse
    When I created the magisk-patched boot.img in post#21, it was with a Canary build (before v25.2 was released). I think the Canary build may not have had signing enabled, which could be causing an issue with the official release.

    I've created a new magisk-patched-boot.img from Magisk v25.2, for pre PS7242/2906 firmware. Download and unzip this into the 'images' directory of raven_boot. Then boot into FireOS and try installing Magisk Manager v25.2.

    If that doesn't work, I can give you the steps for patching your own boot.img. It's easy, but requires a keyboard to navigate Magisk Manager on FireOS7, so I just post the patched images here to save people the hassle.

    @hasobist Are you using the magisk image from post#21? I'm not sure if I need to create a second image for +PS7242/2906? The modules+Zygisk are broken in the image from the OP.

    @JJ2017 which DFU entry device are you using? Arduino/ATmega/HDMI dongle? Just curious since this is the biggest barrier running this exploit.

    EDIT: uploaded v25.2 Magisk patched boot.img for +PS7242/2906
    View

New posts