Unlocking the Bootloader and Installing TWRP – How to Guide
- OK first. This is important. Do NOT do this on a Firestick 4K straight out of the box. You should set it up first.
At a minium it needs your Amazon account on it, the remote control setup and the updates installed
I fully configure mine before I start, including putting on an alternative launcher (I recommend you do the same).
- As stated, you need to ensure ABD is installed and working on your PC before you begin.
I use the ADB included with scrcpy. If you do not already have ADB installed I recommend you do the same.
Once you have downloaded scrcpy, create a folder on your c: drive named: scrcpy-win64
Extract the contents of the scrcpy zip file you downloaded to the new folder.
- Next on your Firestick 4K go to: Settings>My Fire TV>Developer Options and turn on ADB Debugging and Apps from Unknown Sources.
Note: After you turn on ADB Debugging and first connect a device to it you will see a dialog like the below.
You should tick the box to always allow connections and click OK.
I recommend you do this now. Use the cable from your power adapter and plug it into a USB port on your laptop.
Leave the other end of the cable and the HDMI cable connected to your firestick 4K.
If the dialog in the image below does not appear when the 4K loads up fully, open a command prompt and type:
then press <enter>
then press <enter>
The dialog will then appear (if it had not already).
The command window should return something like:
List of devices attached
Where the letters/number correspond to the serial number of your 4K.
- Shut down the 4K and remove the cables.
- Use Rufus to burn the FireISO to a USB drive or CD (I use a 32GB thumb drive, but you can use much smaller).
- Boot up Linux using the USB drive
- Download the kamakiri-mantis exploit code and extract the kamakiri folder to the desktop.
- Make sure no cables are attached to the 4K and remove the Firestick 4K casing using a credit card (or similar).
See images below but part 1 of my 3-step (when I complete the next 2 steps) video tutorial details this step.
- Remove one of the heatshields. See images below for details of which heatshield to remove (it is the one with the 2 small black pads on it).
It may be possible to pull off the heatshield with your fingers (dependent on amount of glue used, if any, as the heatshield is mostly just clipped on/pressed into a metal frame), so try this first.
Go gently, too much force could damage the 4K, possibly beyond repair.
This is the heatshield you need to remove. Note the 2 square rubber pads on the heatshield.
(see below if unable to remove with fingers).
Below is the heatshield NOT to remove.
This has the 2 square antennae near it (not rubber pads on it) and should not be touched.
If it does not come off easily then find a small flat head screwdriver (plastic if possible) and insert into the point shown below and apply slight rocking pressure.
Increase the pressure slowly. This is the point where there is most likely to be damage caused (but if you go carefully it will be okay).
There may be other points you can use to lever off the heatshield. I will leave this to you to decide if you wish to try this.
Below is the 4K with the heatshield removed.
The tiny dot next to the red arrow is the point we need to short.
It is the leftmost of a group of 3 similar points. There is a close-up image of this are further below.
Do not worry if your EMMC chip is a different manufacturer.
There are a few variants (including SanDisk, SK Hynix, and SEC) and all 3 are used in the images in the guide.
- The closeup image below indicates the place to short.
Important: Do NOT use a screwdriver, tweezers etc to make the short.
There is a good chance you will knock off the components, as many others have done.
You need to use a small piece of tinfoil (aluminum foil) for the short.
Fold it up so it is the right size to fit under (and touch) the heatshield frame and so it completely covers the short point (touches both sides of the short point, bridging it).
Make the short (and be gentle, we don’t want to damage the cap).
If you have a camera with macro mode, this will make it much easier to make/check the short.
The image below shows the short with tinfoil in place.
The blue colour in the image is Blu Tack. I use this to hold the tin foil in place.
- We can now connect the cables back to the 4K.
Do not connect the USB cable to the power adapter or the PC/Laptop with Linux on it.
Do connect the USB cable to the 4K.
Do connect the HDMI cable to the 4K and to your TV/Monitor.
Do have the USB cable ready to connect to the Linux PC/Laptop as we will connect it soon.
- OK, back to the Linux installation.
Open a terminal in the kamakiri directory (the one you extracted to the desktop earlier).
To do this, right-click the kamakiri folder and select the option to do so from the menu.
- Run the code: ./bootrom-step.sh
- Now connect the 4K stick to your computer using the USB cable that usually supplies power to the 4K (do not connect the power adapter).
Be careful not to disturb the short connection.
- Look back at the terminal window.
The script should now tell you to remove the short (do this carefully) and press enter.
- If it does not (ask you to remove the short) and remains blank or gives an error such as:
ERROR: Serial protocol Mismatch. Expected 0001 got 0000, then you likely did not create the short properly.
Close the terminal window, disconnect the 4K from the Linux PC/Laptop USB port.
I also disconnect the HDMI cable from the 4K at this point.
Now repeat the 6 steps above (10-15).
- The exploit code will now run.
It will take a minute or two to complete (the code will stop and it will be back at a command prompt when finished).
When finished, run the code: ./fastboot-step.sh
- Your device will boot into TWRP within a few seconds.
The exploit is now complete and the bootloader on the 4K is now unlocked.
- At this point you can disconnect the 4K and reattach the heatshield and casing.
The Linux USB Boot drive is now finished with. You can now shut it down.
- The next time you boot up your Firestick 4K follow the guide to root it.
This will open up all sorts of possiibities with it, including disabling Amazon OTA (over-the-air) updates (recommended) and deleting the Amazon Launcher (only if you are sure you never want to use it).
Deleting the Amazon Launcher was the first thing I made sure I learned how to do after getting root.