[UNLOCK][ROOT][TWRP][UNBRICK][...] FireTV 2nd gen Cube (raven) ≤ PS7242

Search This thread
By:
Advanced…
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
rocker0 said:
I appreciate all the efforts you've put into this :) thanks a bunch
I was wondering if buying new cube 2nd gen from eBay like that one would work just fine
Click to expand...
Click to collapse
From what I've seen there are 3 batches of 2nd gen Cube, that ship with the following firmware:

PS7204/1044N (October 2019, initial release of the 2nd gen Cube)
PS7206/1098N (November 2019)
PS7229/1856N (January 2021, shipped with updated remote with channel buttons, sometimes called 2021 Cube)

Up until a month ago Amazon was still selling the 3rd batch with PS7229/1856N. I think this is the final stock. I doubt that Amazon made any new 2nd Gen Cubes in 2022, since they were already working on the 3rd gen Cube release. As long as the 2nd gen Cube is new it will ship with firmware older than PS7273 (March 2022), and this exploit will work.

The photos on the eBay box include the old remote without the channel buttons, so it probably ships with PS7206/1098N.
 
  • Like
Reactions: rocker0
R

rocker0

Member
Nov 7, 2019
36
4
Pro-me3us said:
From what I've seen there are 3 batches of 2nd gen Cube, that ship with the following firmware:

PS7204/1044N (October 2019, initial release of the 2nd gen Cube)
PS7206/1098N (November 2019)
PS7229/1856N (January 2021, shipped with updated remote with channel buttons, sometimes called 2021 Cube)

Up until a month ago Amazon was still selling the 3rd batch with PS7229/1856N. I think this is the final stock. I doubt that Amazon made any new 2nd Gen Cubes in 2022, since they were already working on the 3rd gen Cube release. As long as the 2nd gen Cube is new it will ship with firmware older than PS7273, and this exploit will work.

The photos on the eBay box include the old remote without the channel buttons, so it probably ships with PS7206/1098N.
Click to expand...
Click to collapse
Okay, that's a little promising, thanks for explaining that, I'm hoping to get my hands on it soon enough, ordered one already =).
I saw someone over here mentioning there are refurbished ones in eBay, but I didn't come across them so I went for that one instead.
 
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
rocker0 said:
Okay, that's a little promising, thanks for explaining that, I'm hoping to get my hands on it soon enough, ordered one already =).
I saw someone over here mentioning there are refurbished ones in eBay, but I didn't come across them so I went for that one instead.
Click to expand...
Click to collapse
Yeah, refurbished units are a little more of a gamble now because it's been 8months since the Cube was patched.

I see Amazon still selling the 2nd gen Cube new in a bunch of European countries, so new units may appear on Amazon in North America again. I wouldn't be surprised if the 2nd gen Cube was temporarily made unavailable to promote 3rd gen Cube sales.
 
  • Like
Reactions: rocker0
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
For anyone that is thinking about trying this 2nd gen Cube exploit, and is uncomfortable making their own DFU device (force boot to USB) needed for this process, you might be able to buy a premade one here:

www.tindie.com

Meson HDMI Recovery Boot Plug by Neil's Hacks on Tindie

Meson HDMI Recovery Boot Plug - requesting a recovery boot target of an Amlogic SoC
www.tindie.com www.tindie.com

Neil occasionally makes these on request for the Amlogic community, and doesn't make any money off them, so be nice! I've been hesitant to link to him because these are intended for development & recovery purposes, not rooting. I'll list it now since the 2nd gen Cube is on it's sunset days.

NOTE: This device will do nothing on FireOS +PS7273 firmware
 
  • Like
Reactions: rocker0 and roligov
BigEmpty

BigEmpty

Member
Dec 2, 2022
34
11
I got root working on my cube! Is it possible some way to use root to get NTFS and ExFAT support natively working on the cube's USB port?
 
  • Like
Reactions: Pro-me3us
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
BigEmpty said:
I got root working on my cube! Is it possible some way to use root to get NTFS and ExFAT support natively working on the cube's USB port?
Click to expand...
Click to collapse
Adding native exFAT/NTFS/EXT4/F2FS support for USB OTG is possible, but that would probably take some work.

My cursory understanding is that filesystem support is enabled in the kernel. A kernel module (driver) can be created to use with Magisk to add that support without having to make a custom kernel, but I think the module has to be compiled for the specific kernel being used by the device.

This is writeup of the module creation for another device:

exFAT/NTFS support for the Cosmo Communicator | MyGNU.de

Unfortunately the Cosmo Communicator, like many other Android phones, does not support the exFAT filesystem. Most vendors do so due to exFAT being covered by software patents in the USA, which is a problem for companies selling to the USA. exFAT might not be the most sophisticated filesystem...
www.mygnu.de

Most of the exFAT/NTFS/EXT4/F2FS support appears to be based on Vold:
github.com

GitHub - Magisk-Modules-Repo/vold-posix: vold-posix

vold-posix. Contribute to Magisk-Modules-Repo/vold-posix development by creating an account on GitHub.
github.com github.com

And the 2nd gen Cube kernel source can be found here:
github.com

raven_firmware/README.md at main · Pro-me3us/raven_firmware

Amazon FireTV 2nd gen Cube Firmware & Stock Apps. Official Cloud Front direct links only - Pro-me3us/raven_firmware
github.com github.com

This might be easy for someone that has experience working with Magisk and kernels, but a bit of a project for others. Native NTFS support has been added to other FireTV devices through custom kernels and even at least one Magisk module, but the rooted 2nd gen Cube community is very small.
 
  • Like
Reactions: BigEmpty
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
BigEmpty said:
I got root working on my cube! Is it possible some way to use root to get NTFS and ExFAT support natively working on the cube's USB port?
Click to expand...
Click to collapse
A followup, it looks like the the Cube already has support for ext3, ext2, ext4, cramfs, squashfs, vfat, msdos, exfat, iso9660, ntfs, fuseblk, udf (listed in /proc/filesystems). So it's possible to manually mount a USB drive. Check /dev/block/ for the USB name, which will be a variation of sdxx. For example I plugged in an NTFS drive that appeared as sda2. This can be mounted wherever you like. I'll mount it to /mnt/usb/ in this example.

Create /mnt/usb/ directory from ADB:
Code: 
mkdir /mnt/usb/
Mount sda2 to /mnt/usb/
Code: 
mount -t ntfs -o rw /dev/block/sda2 /mnt/usb/
If you want to unmount
Code: 
umount /dev/block/sda2

You can then use a file manager or ADB to view the contents of the drive. A few caveats:
1) the NTFS module is read-only, so no writing to the drive. (exFAT may mount as read-write, need to check)
2) the drive won't appear as external storage, so you won't be able to navigate to the drive from within most media players.

Full native support with auto-mount/unmount takes a bit more work. That is handled by the volume daemon (VOLD). @Pretoriano80 made a Magisk module for the 4K Stick to handle this with a modified VOLD. I asked him what would be involved to make something similar, and he suggested checking LineageOS for a version of VOLD that will work with FireOS7 and the Cube. Then it's a matter of going through the kernel log to address any errors or permission issues that arise as the Cube boots. Pretoriano80's module and XDA thread give a good outline. He agrees it's bit of work but doable for someone that wants to put in the time.
 
BigEmpty

BigEmpty

Member
Dec 2, 2022
34
11
Yes thank you very much! That's the reason I first asked because once I had root I saw that NTFS devices were populated in dev/block as sda? and if I mounted I could browse them in the adb shell easy. So I thought somehow with root I could get media players to see them easy too. I will read your references about methods to automate the mount/unmount and see what I can learn. Thanks for looking into this so much!
 
  • Like
Reactions: Pro-me3us
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
EDIT: This procedure has been revised, please follow the instructions here

Flashing OTA Firmware with TWRP
To upgrade the Cube firmware past PS7273+ and keep this exploit working, we need to avoid flashing any bootloader version newer than PS7242/3516. The following procedure removes the bootloader flashing instructions from the OTA firmware, so that everything but the bootloader is updated. After updating, the Cube will still boot normally with or without the exploit loaded. Tested & working up to PS7614/3227.

Modify the firmware:
1) Download 2nd gen Cube full firmware (XDA or Github), change extention .bin to .zip, and open the file.

2) Open /META-INF/com/google/android/updater-script in a text editor, delete the following block of code:
Code: 
# Bootloader
if (getprop("ro.boot.secure_cpu") == "0")
then
    ui_print("Copying bootloader for non secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin"), "bootloader");
else
    ui_print("Copying bootloader for secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin.signed"), "bootloader");
endif;

3) Save modified updater-script to the firmware .zip.


TWRP Flashing procedure:
1) Boot Cube into TWRP with the bash menu script [Option (3, Suboption (1].
Code: 
adb push <firmware-filename.zip> /sdcard
adb shell
twrp install <firmware-filename.zip>
Done! reboot

*2) Flashing can also be done through the TWRP gui using the 'install' button if you prefer


IMPORTANT: Keep system updates blocked, and only flash firmware through TWRP using this procedure. Firmware upgrades don't require wiping data/cache/dalvik, but if you are downgrading firmware, wiping data may be advisable.


Note: Amazon added package protection in +PS7273. To remove this, boot into FireOS with root access, edit /data/system/PackageManagerDenyList, delete the list of applications, and save.

The list of protected applications will be regenerated after every reboot (obtained from Amazon server), to prevent this:
Code: 
adb shell pm disable-user com.fireos.arcus.proxy

Custom launcher use, and the ability to disable/enable any system app will work when booting with or without the exploit.
 
Last edited:
  • Like
Reactions: Finnzz, rocker0, BigEmpty and 1 other person
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
I'll see if I can simplify things any further. I tried to find a way to have TWRP automatically skip over the Bootloader code, but there is no simple solution.

I made a minor TWRP edit that should avoid and date/downgrade warnings, put the image in raven_boot/images.

Lastly I made an updated magisk patched boot image using the kernel from PS7614/3227 since there have been +10 updates since PS7242/2906 (still worked fine with PS7614/3227 anyways). It's probably about time to make a new version of the OP files, I was just waiting on the next release of Magisk.

I've been able to both upgrade and downgrade. I'm testing PS7614/3227 now, and as far as I can tell everything is working without any problems.

PS if anyone is running a firmware below PS7273 and not one of the following, please backup your unit and let me know for the archive:
PS7212/1333
PS7229/1853
PS7229/1856
PS7242/2906
PS7242/3516
 

Attachments

  • magisk_boot.img
    9.2 MB · Views: 10
Last edited:
  • Like
Reactions: rocker0, BigEmpty and hasobist
H

hasobist

Senior Member
Feb 1, 2021
462
89
Hello Pro-me3us!
Thank you for the update and keep the good work going,hoping for a permanent root soon.
Cheers.......
 
BigEmpty

BigEmpty

Member
Dec 2, 2022
34
11
Suppose the native BL33 bootloader code had unrestricted access to the u-boot shell. Might a memory patch to the running BL33 code be able to nop or toggle the engineering device status check?
 
Last edited:
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
BigEmpty said:
Suppose the native BL33 bootloader code had unrestricted access to the u-boot shell. Might a memory patch to the running BL33 code be able to nop or toggle the engineering device status check?
Click to expand...
Click to collapse
Yes, if you can figure out a way to do a memory patch or get unrestricted access to u-boot, that opens up a number of possibilities.

Using Peacock on a rooted device
Unrelated, I was asked whether Peacock would work on the Cube with root. Peacock appears to have a number of security checks that will cause it to force close on a rooted device. @bobpiesz made a Peacock mod that will work, but it requires disabling signature verification, and hiding Magisk.

What's needed:
Magisk / Magisk manager 24.0 or later
LPosed for Zygisk latest
CorePatch 2.2 (EN)
Modded Peacock app

1) Enable Zygisk in Magisk Manager settings

2) Go to Magisk Manager modules tab, install LPosed for Zygisk, and enable it. If you don't see an LPosed icon on your Homescreen/Apps drawer after installation, use a filemanager (Total Commander, MiXplorer, etc) to navigate to /data/adb/lspd, and manually install manager.apk. Requires a reboot to become active.

3) Install CorePatch 2.2 (EN) apk, this is the last version compatible with Android 7x-10x. Open CorePatch, grant SuperUser access when prompted, and make sure the second toggle is enabled Disable Package Manager Signature Verification. Open LPosed and enable CorePatch module. Reboot for CorePatch to become active.

4) Install modded Peacock app, but don't open it yet.

5) Open Magisk Manager, go to settings, enable Enforce DenyList, go to Configure Denylist and add the Peacock app. Lastly in Magisk Manager settings, hide the Magisk app (give Magisk installation permission, then retry), give Magisk any new name.

Now Peacock will no longer force close. If it does force close, go into FireOS settings, apps list, and clear Peacock data & cache, and try to reopen.

A couple other Magisk / LPosed (Xposed) mods that people might find useful
Install Google Services / AndroidTV Play Store (verified on Cube)

Full remote button remapping including recents & favorites, with Xposed Edge (verified on Cube)
 
Last edited:
  • Like
Reactions: rocker0
BigEmpty

BigEmpty

Member
Dec 2, 2022
34
11
Was Zygisk support added? I must have missed that. I read earlier that su is enabled but not Zygisk.

Was the peacock problem determined to exist equally in the firetv version of the peacock app as compared to the android tv version of the peacock app?

There are differences between the two versions. For example, the android tv version won't run unless google play services is running. Although the firetv version will run on an android tv device just fine with google play services disabled.
 
Last edited:
R

rocker0

Member
Nov 7, 2019
36
4
I haven't got my hand on the DFU HDMI yet but I am little newbie and I would appreciate if you can help me with some confusions I'm having.


Pro-me3us said:
  1. Reconnect the Cube and TV with HDMI cable.
Click to expand...
Click to collapse
1-I have my laptop placed on some desk and my firetv cube somewhere else near the TV, I will move the firetv cube next to my laptop and do the steps mentioned, but can i unplug the power cable and plug it in again before doing that step "Reconnect the Cube and TV with HDMI cable."
or am I not allowed to do that "i can't power it off at all"?
as I don't think my HDMI cable is that long to reach my TV so if i am allowed to, I would need to unplug the power from the cube and plug it again near my TV then connect the HDMI to my TV:)


Pro-me3us said:
  1. Type 'bash menu' in the terminal, and choose your boot mode.
Click to expand...
Click to collapse
I want to install magisk and LSposed, do you mind explaining to me the steps i need to do that?
Also I'm confused on which boot mode i have to choose.
is it fine to restart the firetv cube if ever promoted?
my firetv cube FW is Fire OS 7.2.0.1(PS7201/942)

Thanks a lot
 
Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
497
463
rocker0 said:
can i unplug the power cable and plug it in again before doing that step "Reconnect the Cube and TV with HDMI cable."
Click to expand...
Click to collapse
The exploit is all run in RAM, so if you pull the Cube's power, the exploit is gone along with root access.

You will want to move your laptop to the TV and Cube. Loading the exploit literally takes 10-15sec, then you can move your laptop back to your desk. After the Cube boots you will have root through Magisk until you restart the Cube. The Cube can potentially go 1-2 months without a reboot.

rocker0 said:
I want to install magisk and LSposed, do you mind explaining to me the steps i need to do that?
Also I'm confused on which boot mode i have to choose.
is it fine to restart the firetv cube if ever promoted?
Click to expand...
Click to collapse
Bash menu option 2) + suboption 2) is all you will want for regular use
2) FireOS boot with Magisk support
2) USB host mode - connect peripherals to Cube

Once you boot into FireOS you can install apps normally. Download and sideload Magisk Manager and LPosed for Zygisk (steps are the same as the Peacock steps). Whenever a new Magisk or LPosed module is installed a reboot is required for the module to become active. And because the exploit is wiped from memory, you have to reload it from your laptop. Installing modules is one of the few times that you actually do have to reboot the Cube.

You can freely boot with and without the exploit, going back and forth from Magisk being active or inactive when the exploit is absent. It's not going to corrupt anything.
 
  • Like
Reactions: rocker0
F

Functioner

Senior Member
Jan 16, 2023
359
195
DRAM
-> start = 0x
-> size = 0x80000000
TLB addr = 0x
relocaddr = 0x
reloc off = 0x76D61000

Would save some time if someone could fill in the blanks. Approximate size of U-Boot at the top of memory. Raw hex disassembly of U-Boot as expressed in memory for the newest bootloader that can be used. Finally -/+ hex memory patches for amzn_target_is_unlocked, amzn_dm_verity_is_off, amzn_target_device_type with an emphasis on minimum to boot modified boot image on emmc.
 
F

Functioner

Senior Member
Jan 16, 2023
359
195
I spent the time and sorted it out myself. Something that I noticed that is kind of interesting is that if a magisk boot image is flashed to the emmc on a raven device running the native PS7279/1856N bootloader, it will fail (aml log : Sig Check -1) to a fastboot connection if a usb cable is connected. However, boot can still continue if "fastboot continue" is executed. Though for some reason magiskinit doesn't execute, even though the boot proceeds pretty far it eventually fails due to dm-verity. Not sure why magiskinit doesn't execute. It might be because it's booting the recovery partition and not the boot partition, or possibly it is because of the recovery style patch. I was able to get a 1 value for eng_device on the native PS7279/1856N bootloader, but still get the "aml log : Sig Check -1" bootm failure.
 
Last edited:
F

Functioner

Senior Member
Jan 16, 2023
359
195
I managed to get my raven in a state that even DFU can't fix. The ./amlogic-usbdl image boots ok via DFU, but any of the ./update bl2_boot images eventually result in this

Code: 
"Synchronous Abort" handler, esr 0x96000010                           
ELR:     77e2836c                                                               
LR:      77e28300                                                               
x0 : 0000000000000009 x1 : 0000000000000000                                     
x2 : 0000000077daa164 x3 : 0000000000000001                                     
x4 : 0000000000000030 x5 : 0000000000000000                                     
x6 : 00000000ffffffd0 x7 : 0000000000000004                                     
x8 : 0000000000000038 x9 : 0000000000000008                                     
x10: 000000000000000f x11: 0000000077e3abe0                                     
x12: 0000000000000000 x13: 000000000108660d                                     
x14: 0000000001675200 x15: 0000000001c86516                                     
x16: 0000000073d71f30 x17: 0000000073d72ab8                                     
x18: 0000000073d55e28 x19: 0000000000000001                                     
x20: 0000000000000010 x21: 0000000000000000                                     
x22: 0000000000020000 x23: 0000000087d65000                                     
x24: 0000000000000010 x25: 0000000087d65000                                     
x26: 0000000000000002 x27: 0000000000000003                                     
x28: 0000000077e62f63 x29: 0000000073d54850                                     
                                                                                
Resetting CPU ...

I think the only way to fix it is to build a bootloader image that doesn't proceed through the normal boot process, and starts burn mode, or uart console mode, earlier than this

Code: 
enable_dolby_vision                                                             
Dolby Vision  turn on                                                           
[OSD]load fb addr from dts:/meson-fb                                            
[OSD]set initrd_high: 0x7f800000                                                
[OSD]fb_addr for logo: 0x7f800000                                               
[OSD]load fb addr from dts:/meson-fb                                            
[OSD]fb_addr for logo: 0x7f800000                                               
[OSD]VPP_OFIFO_SIZE:0xfff01fff

It is shortly after that the "Synchronous Abort" handler reset happens, using any of the provided images. It might be a recovery bootloop, I was modifying various contents of the emmc.

Should it be possible to build such a bootloader image?
 
You must log in or register to reply here.

Similar threads

K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)
Replies
2K
Views
399K
H
hasobist
K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)
Replies
3K
Views
532K
X
xdaforums.f6o79
K
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 3 and Fire TV Stick Lite (sheldon/p)
Replies
845
Views
191K
EnricoBarsanti
EnricoBarsanti
Pro-me3us
[Temp ROOT] - [BOOTLESS MAGISK] - [UNLOCK/MAGISK/TWRP] FireTV 2nd gen Cube (raven) ≤ PS7624
Replies
306
Views
41K
P
pretzells
Rortiz2
[ROM][UNOFFICIAL][11] LineageOS 18.1 for Fire TV Stick Lite/3rd gen (sheldon/p)
Replies
706
Views
162K
BTK19
BTK19

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 14
    Pro-me3us
    Pro-me3us
    RavenMenuV2.png

    Raven Boot v2.0 now includes persistent root. A huge thank you to @Functioner for getting it working! This package includes unrestricted U-Boot, fastboot & Amlogic burn mode commands, as well as TWRP and Magisk support. The Raven boot tool includes options to root your Cube, gain temporary root access without modifying your device, and a number of options for recovery and backup.



    Setup-01.jpeg


    NOTE: PS7242/3516 or older required
    A newer method is available that works up to PS7292, that doesn't use DFU or a DFU device, but has no DFU recovery options

    NOTE: This process does not require you to open your Fire TV 2nd gen Cube

    Changelog:
    v2.2 April 7th, 2023​
    • Minor update to Magisk 25.208
      • Hopping back on official signed Magisk app line
        v2.0 and v2.1 use an unofficial Magisk build that will result in a signature mismatch when updating.
        If you are using Raven root v2.0/2.1, delete the file /data/adb/magisk.db on your Cube,
        before updating to Raven root v2.2.
    • Added USB booting for flash drives that use aml_autoscripts, for future development.
    v2.1 February 18th, 2023​
    • Updated TWRP v3.6.1-9-0 ---> v3.7.0-9.0
    • Fixed problem with TWRP not always displaying all the partitions under 'Mount/Backup'
      • Always mounts 'Internal Storage' to /sdcard now
    • Fixed bash menu to always use the included fastboot binary
    • Cube's physical buttons can be used on bootup
      • Volume Up ---> Fastboot
      • Volume Down ---> TWRP recovery
      • Action button ---> Amlogic Update
    **Hold down button for ~5sec after power-on, and before the blue LEDs / 1st Amazon logo​
    v2.0 February 9th, 2023​
    • Root is now persistent, does not require computer after every reboot
    • One click option to install root access, TWRP, Magisk & OTA blocker module
    • Magisk updates
      • Zygisk is working (July 1st, 2022)
      • Magisk can be installed from TWRP or direct installed from within Magisk Manager
      • Created module to block Amazon OTA updates via etc/hosts and hiding the OTA apk
      • updated quick access images to Magisk v25.2
    • TWRP updates
      • Bootloader flashing is blocked, so that full OTA firmware bins can be easily flashed (tested up to PS7624/3337)
      • Removed firmware downgrade checks & warnings
      • Added NTFS support for flash drives within TWRP
    • Added options to backup entire reserved partition, and mmcblk0boot0 & mmcblk0boot1 boot partitions in Amlogic update
    • Added emergency boot to Fastboot/Update modes
    v1.0 May 15th, 2022​
    • Temporary unrestricted fastboot, u-boot & update commands
    • Boot with root access or Magisk support
    • Boot to TWRP for backup & recovery
    • Backup Cube using Amlogic Update


    What's needed:
    • linux installation or live-system (Ubuntu 20.04.x recommended)
    • micro-USB cable
    • device to put Cube into device firmware upgrade (DFU) mode [read below]
    equipment1.jpeg



    libusb is needed for your linux installation to detect the Cube over USB.
    • sudo apt-get install libusb-1.0-0
    To automatically set the proper udev rules for Amlogic install Khadas utils:
    1. sudo apt-get install libusb-dev git
    2. sudo apt-get install git
    3. git clone https://github.com/khadas/utils
    4. cd utils
    5. ./INSTALL


    ***NOTE: If you previously installed Magisk on your Cube from raven_boot v1.0, first run adb shell rm /data/adb/magisk.db to prevent any conflicts with the new Magisk version.

    Instructions
    1. Download the latest raven_boot.zip and unzip it. Open a terminal window from the unzipped raven_boot directory

    2. Power off the Cube and connect your DFU device to the Cube's HDMI port. Connect the USB cable (microUSB to USB-type A) to computer & Cube

    3. Power on the Cube, type lsusb in the terminal to confirm ID 1b8e:c003 Amlogic, Inc. is present, indicating the Cube is in DFU mode

    4. Unplug the DFU device from the HDMI port, reconnect the Cube to TV with HDMI cord. Keep the computer connected.

    5. In the terminal type bash menu, and choose option 1) to automatically root the Cube.
    To preserve the Cube's persistent root, be sure to confirm that both TWRP & Magisk are installed.

    Quick Access
    For options 2) and 3) to gain temporary root, download the images zip file that corresponds to your current FireOS version, and unzip the contents into raven_boot/images directory.​
    For Cubes running FireOS 7242/2896 or later get ---> images_7242-2906_v2.0.zip​
    For FireOS versions 7201/942 to 7242/2216 get ---> images_7229-1853_v2.0.zip​

    magisk.png
    root_access.png

    Magisk v25.206 is included with Raven boot, it's recommened that you use this version or newer. For instructions on how to update your firmware and keep root access, read here


    About the exploit
    This exploit is based on a vulnerability in the Amlogic bootrom that allows for us to run unsigned code in the next boot stage (Bl2). To pause the automatic boot up process, before the Cube's saved Bl2 is loaded, we rely on Amlogic's device firmware upgrade mode (DFU). In DFU, only the boot code from the Amlogic s922x SOC (Bl1) has been loaded into memory. We then use the vulnerability to load our modified Bl2, breaking the 'chain of trust', and disabling secure boot so that we can make modifications to the bootloader downstream. The last stage of the bootloader is U-boot (Bl33) which hands off the startup process to the kernel (boot.img). U-boot is modified to unlock any restrictions on u-boot and fastboot commands, giving us full access to system features. We can then use fastboot boot to load our modified boot images (TWRP, magisk-patched boot.img), into memory without modifying the Cube's eMMC.

    Visit GitHub for a more in depth write-up and resources used in this project

    Contributors
    @Functioner
    @Zenofex
    @npjohnson
    @zeewox
    @Pro-me3us

    Additional thanks to
    @tchebb - a bottomless encyclopedia of Amlogic knowledge, answering countless questions & troubleshooting
    @roligov - providing photos, additional FireOS updates, and testing
    @osm0sis, @canyie, @vvb2060 & @yujincheng08 - the Magisk team for being awesome, troubleshooting and making a number of code changes to get all features working on the Cube
    @k4y0z - helping troubleshoot some TWRP and Magisk issues
    View
    4
    D
    Deleted member 11959327
    goapy said:
    Otherwise I'll modify the sot23 version that I have coming tomorrow, replacing the sot23 at24cs02 with an 8-lead version that I can pull from some waste board.
    Click to expand...
    Click to collapse

    I did ^this^ because the 8-lead version that I ordered still hasn't arrived yet. See before/after images below. It was a success and I was able to get the exploit running.

    While swapping out the eeprom, I noticed that the ddc (display data channel) pair of lines was terminated in the plug, even though this edid emulator device supports passthrough. The ddc pair carries at least two kinds of data, edid and hdcp.

    Presumably ddc is terminated because otherwise there would be a serial wire device conflict on the i2c bus at address 0x50, since both the edid emulator device and the sink would each have a eeprom (or prom) at that address.

    But since for dfu usage the address is changed to 0x52, I figured the ddc lines could be reconnected and the 0x52 serial device could just ride on a passthrough i2c bus. So, I wired the sda and scl lines as passthrough lines.

    I hoped that this would mean that I could repeatedly use the exploit over time without swapping hdmi connections for every reboot. And it does do that. But it also takes a power cycle in order boot to dfu mode from an actively running OS. Booting any of the other images, such as fastboot, twrp, etc., do not require a power cycle and reboot straight to dfu mode with the passthrough device installed.

    So, it is still more convenient to just cycle power rather than swap hdmi plugs.

    As far as testing the exploit itself, I've only spent an hour so far. The included magisk patched boot image does work, although when I tried to boot a magisk patched boot image that I patched myself (using the original image on the device as a source), it did not boot. All of the provided boot images do work, and are all very useful.
    View
    4
    Pro-me3us
    Pro-me3us
    EDIT: This procedure has been revised, please follow the instructions here

    Flashing OTA Firmware with TWRP
    To upgrade the Cube firmware past PS7273+ and keep this exploit working, we need to avoid flashing any bootloader version newer than PS7242/3516. The following procedure removes the bootloader flashing instructions from the OTA firmware, so that everything but the bootloader is updated. After updating, the Cube will still boot normally with or without the exploit loaded. Tested & working up to PS7614/3227.

    Modify the firmware:
    1) Download 2nd gen Cube full firmware (XDA or Github), change extention .bin to .zip, and open the file.

    2) Open /META-INF/com/google/android/updater-script in a text editor, delete the following block of code:
    Code: 
    # Bootloader
if (getprop("ro.boot.secure_cpu") == "0")
then
    ui_print("Copying bootloader for non secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin"), "bootloader");
else
    ui_print("Copying bootloader for secure device...");
    write_bootloader_image(package_extract_file("images/u-boot.bin.signed"), "bootloader");
endif;

    3) Save modified updater-script to the firmware .zip.


    TWRP Flashing procedure:
    1) Boot Cube into TWRP with the bash menu script [Option (3, Suboption (1].
    Code: 
    adb push <firmware-filename.zip> /sdcard
adb shell
twrp install <firmware-filename.zip>
    Done! reboot

    *2) Flashing can also be done through the TWRP gui using the 'install' button if you prefer


    IMPORTANT: Keep system updates blocked, and only flash firmware through TWRP using this procedure. Firmware upgrades don't require wiping data/cache/dalvik, but if you are downgrading firmware, wiping data may be advisable.


    Note: Amazon added package protection in +PS7273. To remove this, boot into FireOS with root access, edit /data/system/PackageManagerDenyList, delete the list of applications, and save.

    The list of protected applications will be regenerated after every reboot (obtained from Amazon server), to prevent this:
    Code: 
    adb shell pm disable-user com.fireos.arcus.proxy

    Custom launcher use, and the ability to disable/enable any system app will work when booting with or without the exploit.
    View
    4
    Pro-me3us
    Pro-me3us
    I've made a post for booting CoreELEC on unlocked 2nd gen Cubes here.

    CoreELEC is a minimal Linux OS that only runs Kodi. This boots and runs 100% from a USB stick, and will not affect FireOS at all. Simply plug the USB drive into your Cube, reboot, and it will boot from the USB stick. Shutdown CoreELEC when you are done, unplug the USB stick, press the 'action' button on the Cube and it will boot back to FireOS.

    A few of the benefits include lossless audio passthrough support for TrueHD/DTS-MA etc. OS only uses about 400-500MB of the 2GB available.

    This is still a beta in testing. Looking for feedback on what is an isn't working
    View
    3
    Pro-me3us
    Pro-me3us
    I'll see if I can simplify things any further. I tried to find a way to have TWRP automatically skip over the Bootloader code, but there is no simple solution.

    I made a minor TWRP edit that should avoid and date/downgrade warnings, put the image in raven_boot/images.

    Lastly I made an updated magisk patched boot image using the kernel from PS7614/3227 since there have been +10 updates since PS7242/2906 (still worked fine with PS7614/3227 anyways). It's probably about time to make a new version of the OP files, I was just waiting on the next release of Magisk.

    I've been able to both upgrade and downgrade. I'm testing PS7614/3227 now, and as far as I can tell everything is working without any problems.

    PS if anyone is running a firmware below PS7273 and not one of the following, please backup your unit and let me know for the archive:
    PS7212/1333
    PS7229/1853
    PS7229/1856
    PS7242/2906
    PS7242/3516
    View

New posts