[UNLOCK][ROOT][TWRP][UNBRICK][...] FireTV 2nd gen Cube (raven)

Search This thread
By:
Advanced…
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
JJ2017 said:
Many thanks @Pro-me3us for this - good to see some progress on this device.

.... However, I've run into some problems using RAVEN2. I had previously installed the RAVEN exploit and everything was fine. I ran option 1 (in RAVEN2) for persistent root and (as SU) the script seemed to run without issue. But now the device wont boot beyond the initial boot screen. Since then every change I've made (e.g. flashing newer firmware (was on 7229/1856), wiping data in TWRP and flashing boot.img in fastboot) has only made the situation worse!

Is there any way to return to stock & restart the process? I've not updated the bootloader - the exploit still works & I can still access TWRP. But now firmware updates in TWRP are no longer working - the device won't progress beyond boot screen & I'm now stuck in bootloop :confused: Any ideas?
Click to expand...
Click to collapse
One thought, about people who were using the previous version. There may be a conflict between the new Magisk and old Magisk build because they have different signatures.

Do this:

1) rerun bash menu option 1), at the end will be in twrp.

2) delete the magisk.db file from within twrp
adb shell rm /data/adb/magisk.db
Then reboot, and see if FireOS loads

When in FireOS uninstall old Magisk Manager, and install new Magisk Manager from /sdcard/download
 
Last edited:
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
JJ2017 said:
No, that's not working as I've already wiped the data partition in TWRP
.... I've really dug myself into a hole here which is why I'm asking if it's possible to do a complete reset!
Click to expand...
Click to collapse
A couple things, if TWRP and Magisk are present, but you lost root, this will trigger authentication error and the device will just boot to fastboot.

If you can do a regular boot, and tell me what lsusb is reporting, I will have a better Idea what the problem is. If you see Google Inc. Celkon A88 you are in fastboot, lost root, and having authentication error. Rerunning option 1) will fix this.

If that's not working you can boot to TWRP again using option 1) and then flash one of the ota firmwares. You can start with 7229/1853 which is pretty much 1856.

You have DFU access, so no need to panic, the Cube is definitely recoverable
 
JJ2017

JJ2017

Senior Member
Jan 7, 2017
93
52
Huawei P20 Pro
Pro-me3us said:
A couple things,.....
Click to expand...
Click to collapse
Thanks for your quick replies - i appreciate that.... But I'm OK now - re flashing vendor.img from fastboot seemed to clear the boot-loop (y)

Now with everything back to 'normal' I will report back when i get RAVEN2 working!
Really appreciate you work on this.

=====================================
Edit: Yes, did get Raven2 working eventually & updated Firmware to latest version too - all good!
 
Last edited:
  • Like
Reactions: Pro-me3us
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
@JJ2017 I was able to confirm that the old version of Magisk will cause the Cube to hang after installing the new Magisk.apk over it. I added a note to the OP to first run adb shell rm /data/adb/magisk.db before patching the Cube with v2.0. It can even be run after patching with v2.0 at the black blank loading screen, followed by a reboot. This will not affect any of your previously installed Magisk modules.

I had wanted to wait for a Magisk Canary build with official package signature, but Canary builds are only coming out every +2months now, and there was no ETA on the next one. This adds a messy little complication if you already had an official build installed.

If you encounter any other issues let me know.
 
Last edited:
  • Like
Reactions: JJ2017 and Sus_i
Michajin

Michajin

Senior Member
Oct 23, 2012
1,364
547
Great work @Pro-me3us ! If anyone is interested, they still sell the unlockable Cube2 through Verizon to even non-customers (maybe customers can get them cheaper). Costly though $119, I would expect them to a clearance sale soon. The parts to do the exploit $10. OP is very responsive. I am very much a novice and he walked me through the process with the tiny88 card. I can't promise every cube2 verizon sells is going to be on 7.2.2.9 but the one i bought was and the refurbished ones were. If you decide to get one, make sure you dont update or anything, either do the exploit on first boot before connecting network or use the bypass from aftvnews (make sure you have a SLOW, SLOW CONNECTION SPEED (i used my metered hotspot).
 
  • Like
Reactions: Pro-me3us
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
Updated the OP with a newer version of TWRP and a couple bug fixes. I've also included options to boot into Fastboot, TWRP, and Amlogic Update using the buttons on the Cube during bootup.

Holding volume down still works to boot in to safe mode / disable Magisk modules, you just need to wait until the blue LEDs / first Amazon logo to press and hold. Remember that if you do this you need to manually re-enable modules in Magisk Manager, and that the OTA blocker won't be in effect until the module is re-enabled and the Cube is rebooted.

Michajin said:
I can't promise every cube2 verizon sells is going to be on 7.2.2.9 but the one i bought was and the refurbished ones were. If you decide to get one, make sure you dont update or anything, either do the exploit on first boot before connecting network or use the bypass from aftvnews (make sure you have a SLOW, SLOW CONNECTION SPEED (i used my metered hotspot).
Click to expand...
Click to collapse
The last batch of 2nd gen Cubes manufactured have PS7229, so if anyone can find a new unit anywere, it can be rooted. If you patch the Cube right out of the box before registration, the Magisk OTA blocker module should be in effect during setup. Hold 'back'+'menu' when you get the checking for update error, to skip that step.

Thanks for the feedback, I think the new v2.1 should cover a couple of the issues you encountered while patching with v2.0

JJ2017 said:
Edit: Yes, did get Raven2 working eventually & updated Firmware to latest version too - all good!
Click to expand...
Click to collapse
Great! The new version of TWRP will show all the main partitions now consistently. This may have been why you had issues with your backup?

To restore a previous firmware you only need to flash:
boot
data
odm_image
product_image
vendor_image
system_image

These are the only partitions that get updated with OTA updates. There's also the bootloader but it's blocked in TWRP and should never be updated. For a complete Cube backup you can use bash menu 7) Download partitions with Amlogic burn mode to dump everything to your computer. Those .img files can be flashed back to the Cube from Fastboot or TWRP.
 
Last edited:
  • Like
Reactions: JJ2017 and Sus_i
Michajin

Michajin

Senior Member
Oct 23, 2012
1,364
547
This is awesome...
  • Cube's physical buttons can be used on bootup
    • Volume Up ---> Fastboot
    • Volume Down ---> TWRP recovery
    • Action button ---> Amlogic Update
 
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
Magisk Canary build v25.208 is newly available.

Magisk included with Raven boot menu 2.0 and 2.1 has a different signature than the official build line. There's no need to upgrade if you don't want to, but if you want to hop back on the official build line:

  1. Download Magisk v25.208+ to Cube's Download folder

  2. Reboot to TWRP. Open Magisk Manager, tap on reboot icon in top right corner, select 'Reboot to Recovery'. Alternatively, reboot, press and hold volume down on Cube.

  3. Flash Magisk apk in TWRP. Connect a mouse to the Cube, tap install button, select Magisk apk

  4. Reboot to FireOS, install Magisk apk to enable Magisk Manager.


If you don't have a mouse or prefer to use a computer:
  1. Connect computer to Cube with microUSB to USB-A cable

  2. Reboot to TWRP adb shell reboot recovery, or use either method above.

  3. Flash Magisk apk
    adb shell
    twrp install '/data/media/0/Download/<magisk-filename.apk>'

  4. Reboot to FireOS and install Magisk apk
Once back on the official Magisk build line, all future Magisk updates can be done directly through Magisk Manager.

If the Cube hangs at the FireOS logo during bootup, delete the magisk.db file (adb shell rm /data/adb/magisk.db). You can either open an adb connection (connected computer) at the logo, or delete magisk.db in TWRP.
 
Last edited:
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
There are refurbished 2nd gen Cubes on Woot for $40. No idea if these are on pre7273 firmware.

I'm rolling the dice and in for one.
 
  • Like
Reactions: Michajin
B

butterchips

New member
Apr 11, 2023
1
0
hdmi-amlogic-boot-dongle.jpg


I don't know how to read schematics, but if I get this exact dongle, do I lift the top pin or bottom pin from the PCB?
 
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
butterchips said:
do I lift the top pin or bottom pin from the PCB?
Click to expand...
Click to collapse
You lift pin2 and connect it to pin8 with a wire
hdmi-amlogic-boot-dongle (1)__01.jpg


@errut This DFU based method of rooting the Cube only works up to Firmware PS7242/3516.

Unfortunately there's nothing for PS7633/3445. I'd suggest blocking updates to prevent any further updates, in case a new method is ever found.

@butterchips you can use this newer method to root your Cube, but assuming your Cube is on Firmware PS7242/3516 or older, I'd still recommend making a DFU dongle so that you have it as a recovery option if you ever get in trouble.
 
Last edited:
B

boxster03

Member
Feb 15, 2023
34
6
So to make the hdmi dongle, I have to DISCONNECT pin2 from the pcb (GND) and via a wire connect pin2 to pin8 (+5V) (pin2 goes from GND to +5V)?

How to find out whether the method will work for the Woot deal refurb cube 2 I received recently? I don't know what firmware it is on (still in box). If I connect and power up, then sign on to Amazon, will it lose the chance of rooting? I believe I can stop it from auto update FireOS at initial set up by the method discussed in other threads and sign on to amazon to find what OS it is.

What are the chances it is a rootable OS <7242??? If it is 7273 will this method work? I am wondering if it is worth dealing with those tiny pins with the soldering iron I have (it is not meant for such small pins).
 
You must log in or register to reply here.

Similar threads

K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)
Replies
2K
Views
346K
D
dpapathanasiou
K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)
Replies
2K
Views
445K
B
Bullet Saloon
K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 3 and Fire TV Stick Lite (sheldon/p)
Replies
742
Views
130K
joshyakadamien
joshyakadamien
R
[UNLOCK][ROOT][TWRP][UNBRICK] FireTV 2 (sloane)
Replies
654
Views
66K
Bertonumber1
Bertonumber1
R
FireTV 1 (bueller) Full Bootloader Unlock
Replies
130
Views
97K
T
T1g3rbl000d

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 13
    Pro-me3us
    Pro-me3us
    RavenMenuV2.png

    Raven Boot v2.0 now includes persistent root. A huge thank you to @Functioner for getting it working! This package includes unrestricted U-Boot, fastboot & Amlogic burn mode commands, as well as TWRP and Magisk support. The Raven boot tool includes options to root your Cube, gain temporary root access without modifying your device, and a number of options for recovery and backup.



    Setup-01.jpeg


    NOTE: FireOS < 7.2.7.3 required
    A newer method is available that works up to PS7292, that doesn't use DFU or a DFU device, but has no DFU recovery options

    NOTE: This process does not require you to open your Fire TV 2nd gen Cube

    Changelog:
    v2.2 April 7th, 2023​
    • Minor update to Magisk 25.208
      • Hopping back on official signed Magisk app line
        v2.0 and v2.1 use an unofficial Magisk build that will result in a signature mismatch when updating.
        If you are using Raven root v2.0/2.1, delete the file /data/adb/magisk.db on your Cube,
        before updating to Raven root v2.2.
    • Added USB booting for flash drives that use aml_autoscripts, for future development.
    v2.1 February 18th, 2023​
    • Updated TWRP v3.6.1-9-0 ---> v3.7.0-9.0
    • Fixed problem with TWRP not always displaying all the partitions under 'Mount/Backup'
      • Always mounts 'Internal Storage' to /sdcard now
    • Fixed bash menu to always use the included fastboot binary
    • Cube's physical buttons can be used on bootup
      • Volume Up ---> Fastboot
      • Volume Down ---> TWRP recovery
      • Action button ---> Amlogic Update
    **Hold down button for ~5sec after power-on, and before the blue LEDs / 1st Amazon logo​
    v2.0 February 9th, 2023​
    • Root is now persistent, does not require computer after every reboot
    • One click option to install root access, TWRP, Magisk & OTA blocker module
    • Magisk updates
      • Zygisk is working (July 1st, 2022)
      • Magisk can be installed from TWRP or direct installed from within Magisk Manager
      • Created module to block Amazon OTA updates via etc/hosts and hiding the OTA apk
      • updated quick access images to Magisk v25.2
    • TWRP updates
      • Bootloader flashing is blocked, so that full OTA firmware bins can be easily flashed (tested up to PS7624/3337)
      • Removed firmware downgrade checks & warnings
      • Added NTFS support for flash drives within TWRP
    • Added options to backup entire reserved partition, and mmcblk0boot0 & mmcblk0boot1 boot partitions in Amlogic update
    • Added emergency boot to Fastboot/Update modes
    v1.0 May 15th, 2022​
    • Temporary unrestricted fastboot, u-boot & update commands
    • Boot with root access or Magisk support
    • Boot to TWRP for backup & recovery
    • Backup Cube using Amlogic Update


    What's needed:
    • linux installation or live-system (Ubuntu 20.04.x recommended)
    • micro-USB cable
    • device to put Cube into device firmware upgrade (DFU) mode [read below]
    equipment1.jpeg



    libusb is needed for your linux installation to detect the Cube over USB.
    • sudo apt-get install libusb-1.0-0
    To automatically set the proper udev rules for Amlogic install Khadas utils:
    1. sudo apt-get install libusb-dev git
    2. sudo apt-get install git
    3. git clone https://github.com/khadas/utils
    4. cd utils
    5. ./INSTALL


    ***NOTE: If you previously installed Magisk on your Cube from raven_boot v1.0, first run adb shell rm /data/adb/magisk.db to prevent any conflicts with the new Magisk version.

    Instructions
    1. Download the latest raven_boot.zip and unzip it. Open a terminal window from the unzipped raven_boot directory

    2. Power off the Cube and connect your DFU device to the Cube's HDMI port. Connect the USB cable (microUSB to USB-type A) to computer & Cube

    3. Power on the Cube, type lsusb in the terminal to confirm ID 1b8e:c003 Amlogic, Inc. is present, indicating the Cube is in DFU mode

    4. Unplug the DFU device from the HDMI port, reconnect the Cube to TV with HDMI cord. Keep the computer connected.

    5. In the terminal type bash menu, and choose option 1) to automatically root the Cube.
    To preserve the Cube's persistent root, be sure to confirm that both TWRP & Magisk are installed.

    Quick Access
    For options 2) and 3) to gain temporary root, download the images zip file that corresponds to your current FireOS version, and unzip the contents into raven_boot/images directory.​
    For Cubes running FireOS 7242/2896 or later get ---> images_7242-2906_v2.0.zip​
    For FireOS versions 7201/942 to 7242/2216 get ---> images_7229-1853_v2.0.zip​

    magisk.png
    root_access.png

    Magisk v25.206 is included with Raven boot, it's recommened that you use this version or newer. For instructions on how to update your firmware and keep root access, read here


    About the exploit
    This exploit is based on a vulnerability in the Amlogic bootrom that allows for us to run unsigned code in the next boot stage (Bl2). To pause the automatic boot up process, before the Cube's saved Bl2 is loaded, we rely on Amlogic's device firmware upgrade mode (DFU). In DFU, only the boot code from the Amlogic s922x SOC (Bl1) has been loaded into memory. We then use the vulnerability to load our modified Bl2, breaking the 'chain of trust', and disabling secure boot so that we can make modifications to the bootloader downstream. The last stage of the bootloader is U-boot (Bl33) which hands off the startup process to the kernel (boot.img). U-boot is modified to unlock any restrictions on u-boot and fastboot commands, giving us full access to system features. We can then use fastboot boot to load our modified boot images (TWRP, magisk-patched boot.img), into memory without modifying the Cube's eMMC.

    Visit GitHub for a more in depth write-up and resources used in this project

    Contributors
    @Functioner
    @Zenofex
    @npjohnson
    @zeewox
    @Pro-me3us

    Additional thanks to
    @tchebb - a bottomless encyclopedia of Amlogic knowledge, answering countless questions & troubleshooting
    @roligov - providing photos, additional FireOS updates, and testing
    @osm0sis, @canyie, @vvb2060 & @yujincheng08 - the Magisk team for being awesome, troubleshooting and making a number of code changes to get all features working on the Cube
    @k4y0z - helping troubleshoot some TWRP and Magisk issues
    View
    4
    Pro-me3us
    Pro-me3us
    EDIT: This procedure has been revised, please follow the instructions here

    Flashing OTA Firmware with TWRP
    To upgrade the Cube firmware past PS7273+ and keep this exploit working, we need to avoid flashing any bootloader version newer than PS7242/3516. The following procedure removes the bootloader flashing instructions from the OTA firmware, so that everything but the bootloader is updated. After updating, the Cube will still boot normally with or without the exploit loaded. Tested & working up to PS7614/3227.

    Modify the firmware:
    1) Download 2nd gen Cube full firmware (XDA or Github), change extention .bin to .zip, and open the file.

    2) Open /META-INF/com/google/android/updater-script in a text editor, delete the following block of code:
    Code: 
    # Bootloader
if (getprop("ro.boot.secure_cpu") == "0")
then
    ui_print("Copying bootloader for non secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin"), "bootloader");
else
    ui_print("Copying bootloader for secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin.signed"), "bootloader");
endif;

    3) Save modified updater-script to the firmware .zip.


    TWRP Flashing procedure:
    1) Boot Cube into TWRP with the bash menu script [Option (3, Suboption (1].
    Code: 
    adb push <firmware-filename.zip> /sdcard
adb shell
twrp install <firmware-filename.zip>
    Done! reboot

    *2) Flashing can also be done through the TWRP gui using the 'install' button if you prefer


    IMPORTANT: Keep system updates blocked, and only flash firmware through TWRP using this procedure. Firmware upgrades don't require wiping data/cache/dalvik, but if you are downgrading firmware, wiping data may be advisable.


    Note: Amazon added package protection in +PS7273. To remove this, boot into FireOS with root access, edit /data/system/PackageManagerDenyList, delete the list of applications, and save.

    The list of protected applications will be regenerated after every reboot (obtained from Amazon server), to prevent this:
    Code: 
    adb shell pm disable-user com.fireos.arcus.proxy

    Custom launcher use, and the ability to disable/enable any system app will work when booting with or without the exploit.
    View
    4
    D
    Deleted member 11959327
    goapy said:
    Otherwise I'll modify the sot23 version that I have coming tomorrow, replacing the sot23 at24cs02 with an 8-lead version that I can pull from some waste board.
    Click to expand...
    Click to collapse

    I did ^this^ because the 8-lead version that I ordered still hasn't arrived yet. See before/after images below. It was a success and I was able to get the exploit running.

    While swapping out the eeprom, I noticed that the ddc (display data channel) pair of lines was terminated in the plug, even though this edid emulator device supports passthrough. The ddc pair carries at least two kinds of data, edid and hdcp.

    Presumably ddc is terminated because otherwise there would be a serial wire device conflict on the i2c bus at address 0x50, since both the edid emulator device and the sink would each have a eeprom (or prom) at that address.

    But since for dfu usage the address is changed to 0x52, I figured the ddc lines could be reconnected and the 0x52 serial device could just ride on a passthrough i2c bus. So, I wired the sda and scl lines as passthrough lines.

    I hoped that this would mean that I could repeatedly use the exploit over time without swapping hdmi connections for every reboot. And it does do that. But it also takes a power cycle in order boot to dfu mode from an actively running OS. Booting any of the other images, such as fastboot, twrp, etc., do not require a power cycle and reboot straight to dfu mode with the passthrough device installed.

    So, it is still more convenient to just cycle power rather than swap hdmi plugs.

    As far as testing the exploit itself, I've only spent an hour so far. The included magisk patched boot image does work, although when I tried to boot a magisk patched boot image that I patched myself (using the original image on the device as a source), it did not boot. All of the provided boot images do work, and are all very useful.
    View
    3
    Pro-me3us
    Pro-me3us
    I'll see if I can simplify things any further. I tried to find a way to have TWRP automatically skip over the Bootloader code, but there is no simple solution.

    I made a minor TWRP edit that should avoid and date/downgrade warnings, put the image in raven_boot/images.

    Lastly I made an updated magisk patched boot image using the kernel from PS7614/3227 since there have been +10 updates since PS7242/2906 (still worked fine with PS7614/3227 anyways). It's probably about time to make a new version of the OP files, I was just waiting on the next release of Magisk.

    I've been able to both upgrade and downgrade. I'm testing PS7614/3227 now, and as far as I can tell everything is working without any problems.

    PS if anyone is running a firmware below PS7273 and not one of the following, please backup your unit and let me know for the archive:
    PS7212/1333
    PS7229/1853
    PS7229/1856
    PS7242/2906
    PS7242/3516
    View
    3
    Pro-me3us
    Pro-me3us
    JJ2017 said:
    Hi, I could do with some help regarding Magisk.
    The original (May'22) version installs OK but it's not fully functional.
    The July update with working modules (from post#21) won't update and install: when I try to run it - and it asks to update - I just get 'downloading Magisk' spinning wheel.
    Click to expand...
    Click to collapse
    When I created the magisk-patched boot.img in post#21, it was with a Canary build (before v25.2 was released). I think the Canary build may not have had signing enabled, which could be causing an issue with the official release.

    I've created a new magisk-patched-boot.img from Magisk v25.2, for pre PS7242/2906 firmware. Download and unzip this into the 'images' directory of raven_boot. Then boot into FireOS and try installing Magisk Manager v25.2.

    If that doesn't work, I can give you the steps for patching your own boot.img. It's easy, but requires a keyboard to navigate Magisk Manager on FireOS7, so I just post the patched images here to save people the hassle.

    @hasobist Are you using the magisk image from post#21? I'm not sure if I need to create a second image for +PS7242/2906? The modules+Zygisk are broken in the image from the OP.

    @JJ2017 which DFU entry device are you using? Arduino/ATmega/HDMI dongle? Just curious since this is the biggest barrier running this exploit.

    EDIT: uploaded v25.2 Magisk patched boot.img for +PS7242/2906
    View

New posts