How to root the Amazon Fire TV using the Dirty COW vulnerability

dirtycow-dirty-cow-fire-tv
This guide will show you how to root the Amazon Fire TV using the DirtyCOW exploit. This is primarily for the 1st-gen Fire TV running older Fire OS 3 versions that were previously unrootable, but it may work for other devices and software versions.

Important Note:
I am posting this guide because I have been asked by several people to post it, but I have not personally followed this guide because I no longer have a device running the software versions that this guide is known to work for. Full credit for this guide goes to slater_g on XDA for posting his instructions and christofsteel on XDA for first sucessfully using Drity COW. Please proceed with caution and at your own risk because I will not be able to help with issues. Please discuss problems and successes in the comments to help others.

Compatible Devices:
Always check my rooting starters guide for the best method to root your device.
This guide is primarily for Fire TV 1 running Software version 51.1.2.0 thru 51.1.4.0. Those specific software versions have no other way to root. If you’re Fire TV 1 is on 51.1.4.1 thru 51.1.6.3, this guide might work to root your device, but you will not be able to downgrade and unlock your bootloader due to the eFuse. This guide might work on Fire TV Stick 1s running Fire OS 3, but I have not seen confirmation. This guide does not work to root Fire OS 5 version 5.2.1.0 and up, regardless of which Fire TV or Fire TV Stick model you have.

Rooting Guide

  1. Download and extract the ZIP file at the bottom of this XDA post
  2. Ensure your device is using a dynamic DHCP IP, meaning you have not set a static IP under network settings.
  3. Connect to your device via ADB.
  4. Transfer the 3 files you extract from step 1 to the /data/local/tmp directory on your device by running the following 3 seperate comamnds:
    adb push dirtycow /data/local/tmp
    adb push ip_script /data/local/tmp
    adb push su /data/local/tmp

    NOTE: Be sure to replace dirtycow and ip_script and su in the commands above with the full path to those extracted files on your PC.

  5. Enter ADB Shell by running the command:
    adb shell
  6. Copy your device’s IP binary by running the command:
    cp /system/bin/ip /data/local/tmp
  7. Make the scripts executable by running the following 2 separate commands:
    chmod 755 /data/local/tmp/ip_script
    chmod 755 /data/local/tmp/dirtycow
  8. Go to script directory by running the command:
    cd /data/local/tmp/
  9. Execute the script by running the command:
    ./dirtycow /system/bin/ip ip_script
    NOTE: This will take around 10 minutes to run. When done, it will output something like:

    [ *] mmap 0xb51e5000
    [ *] exploit (patch)
    [ *] currently 0xb51e5000=464c457f
    [ *] madvise = 0xb51e5000 17944
    [ *] madvise = 0 1048576
    [ *] /proc/self/mem 1635778560 1048576
    [ *] exploited 0xb51e5000=464c457f
  10. Exit ADB Shell by running the command:
    exit
  11. Disconnect ADB.
  12. Execute the exploit by setting a static IP for your device’s network connection. If you don’t know the values you should enter for a static IP, you should go to Settings > System > About > Network on your device and write down the values listed. If you don’t know how to set a static IP, follow this guide.
  13. Once your device connects to the network using a static IP, the exploit will automatically run in the background and root your device. You can check that your device is rooted by connecting via ADB, entering adb shell, and entering su to verify that your terminal/command prompt changes from $ to #

For Fire TV 1 on software version 51.1.4.0 or older

Follow these steps to get custom recovery installed and get your device on the what ever pre-rooted ROM you want.

  1. Block software updates on the device by following method 1 of this guide. (Be sure to use the Fire OS 3 command.)
  2. Download stock software version 51.1.0.2_user_510058520 from here (mirror).
  3. Downgrade your device to version 51.1.0.2_user_510058520 by following this guide.
  4. Dowgrading removes root, so re-root your device using the TowelRoot method.
  5. Unlock your bootloader using this guide.
  6. Install ClockworkMod custom recovery by following this guide.
  7. Install pre-rooted ROM version “51.1.4.0_514006420 updated” using this guide.
  8. Install the kernal boot menu using this guide.
  9. Install pre-rooted ROM version “51.1.6.3_516012020” using this guide. If you wan tto stay on Fire OS 3, you can stop following the guide after this step, but if you wan to install TWRP and update to Fire OS 5, then continue with the last 2 steps.
  10. Follow section 1 of this guide to install TWRP custom recovery.
  11. Install the latest Fire OS 5 pre-rooted ROM by following this guide.

ShareTweetShare+1

3 comments
  1. Hebert says:

    Hi Elias,

    My Fire Tv Stick isn’t let me play anything except the titles that are in watch tv abroad.

    It kept asking me to choose Amazon Video. In a window that I’ve never seen before.

    It’s that anyone else having this same issue?

    It appears that amazon is software blocking anyone outside the USA.

    This appears to be the END.

    Please, let me know.

    • Hebert says:

      Please, disregard what I’ve said it above.

      After a full reset. It started to work again like it supposed to be.

      I suspect now it was a power outage that garbled my fireTV stick file system.

      Sorry for the false alarm.

  2. Prowler says:

    I don’t believe step 9 (For Fire TV 1 on software version 51.1.4.0 or older) is necessary. Just go to step 10 (install TWRP), then select any image you want after that (FireOS 3 or FireOS 5) …

Leave a Reply

Your email address will not be published. Required fields are marked *

*