2ND GEN AMAZON FIRE TV Officially ROOTED
NOTE: Root was just obtained a few days ago so… this procedure is not the most time efficient, but it is just a few simple steps that anyone with a technical background can follow. Linux experience will be beneficial. The usual disclaimers apply, which means this rooting procedure comes with some risks and the scripts involved haven’t been tested in all environments. Any harm that may come from rooting your device using this procedure is at your own risk and I assume no responsibility for any damage it may cause. I will do my best to help you get through it and recover if possible.
Root the Device
It’s taken quite a bit of effort, but I’ve finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below YOU MUST BE RUNNING 188.8.131.52. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be extremely uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial driver), start the handshake program, then turn on the device. Also try a different USB port or USB cable. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times.
To get started you will need a system that meets the following requirements:
- Linux (Mac OS X w/ changes)
- Python 3.x
- USB Male A to Male A cable
- R/W access to /dev/ttyACM0 (preloader serial device)
- ADB USB access (optional, but helpful)
- Stop ModemManager (if you have it setup, blocks handshaking)
Now run the following sequence of commands:
git clone https://gitlab.com/zeroepoch/aftv2-tools.git cd aftv2-tools wget http://download.zeroepoch.com/aftv2/184.108.40.206/system.root.img.gz wget http://download.zeroepoch.com/aftv2/220.127.116.11/system.diff.gz gunzip system.root.img.gz gunzip system.diff.gz adb reboot ; ./handshake.py # or restart but run ./handshake.py first ./patch_mmc.sh 0x00000000058e0000 system.root.img system.diff # takes ~2 hours # last address is 0x50dce600
For Macs to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run “sudo pip3 install pyserial” to install pyserial. Instead of “wget $URL” use “curl -O $URL“. You will need to change PORT at the top of handshake.py and write_mmc.py to get the instructions above to work. One quick way to probe for the path to the preloader device is to restart the Fire TV 2 and look for changes to the output (appear then disappear quickly) from the following loop:
while true ; do ls -l /dev/cu.usbmodem* ; sleep 1 ; done
In theory Windows should work as well, but you’d need a bash shell and some changes to the serial port setup. Windows is not something I have the time to develop at the moment. With some feedback from the community I can update the scripts to work with Windows systems.
To test that root is working you should first connect to adb shell and then run the command “su“. You will need to accept a prompt on the screen at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.
If you would like to disable updates after rooting you can use the following commands:
adb shell su pm disable com.amazon.device.software.ota
To go back to stock in case you want to update or for whatever other reason:
wget http://download.zeroepoch.com/aftv2/18.104.22.168/system.orig.img.gz gunzip system.orig.img.gz adb push system.orig.img /data/local/tmp adb shell su cat /data/local/tmp/system.orig.img > /dev/block/platform/mtk-msdc.0/by-name/system reboot
I don’t always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.
This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you’d need to obtain limited root access first using a much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.
The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. As far as I know the preloader is stored in a ROM so I don’t think it can be changed. This is good because hopefully this will allow even the newest AFTV2 devices to be rooted. The bad news is that we may not have much hope of unlocking the regular bootloader unless there is a bug like the signing bug in the AFTV1. The entire boot chain is cryptographically signed from what I’ve been able to inspect. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec of course, but modules/device drivers can be loaded) and create ROMs not based on stock. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.
Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.
Facebook: Xbmc Tips And tricks https://www.facebook.com/groups/565124710285772/
Facebook: Xbmc Tips And tricks https://www.facebook.com/groups/565124710285772/ VPN SETUP KODI: http://vpn.kodi17.com Forum: http://xbmcm3u.com kodi Evo Tech https://www.youtube.com/channel/UCkfg9-oz3rqYVqnyRr7gHyQ http://Funkykitchengadgets.com IPVanish VPN Link: https://www.ipvanish.com/?a_aid=559b2ebabc791&a_bid=48f95966 Twitter: https://twitter.com/Miniboxpro http://querisavines.com Merica Build http://kodinews.net/Plugins Kodi UFC http://kodiufc.com BEST FULLY LOADED BOXES http://amzn.to/2cAhjF5 Best Boxes for Kodi