The 2nd-Gen Fire TV may have a partially unlocked bootloader that could lead to rooting


Earlier this week, Amazon’s new $50 Fire tablet was rooted. This new tablet shares a lot of similarities with the 2nd-gen Fire TV since both run Fire OS 5 and both use a MediaTek CPU. After talking with csolanol, one of the creators of the Fire tablet’s rooting method, and rbox, creator of the 1st-gen Fire TV’s custom recovery and ROMs, it seems the 2nd-gen Fire TV might have a bootloader capable of accepting custom boot images which could lead to rooting the device.

An Android device’s boot image contains the device’s kernel and ramdisk. Skipping the technical details, the boot image is what launches first on power up to prepare the device for the operating system. Most Android devices, including the 1st-gen Fire TV and Fire TV Stick, ship with a locked bootloader which prevents anyone from modifying the device’s boot image. Modifying the boot image is done with a utility called fastboot. On the 1st-gen Fire TV and Fire TV Stick, running fastboot commands will result in an error message informing you the device’s bootloader is locked. Running those same fastboot commands on the new Fire tablet and the 2nd-gen Fire TV does not result in an error message, indicating the device’s bootloader is at least partially unlocked.

To gain root access, one needs to modify the device’s system files which are normally protected from being changed. Most rooting methods use an exploit to trick the operating system into allowing a regular user to modify the protected system files. The Fire tablet rooting method does not use an exploit, but instead takes advantage of the devices unlocked bootloader by simply loading a customized boot image that sets the entire system partition as writable upon boot up, instead of setting it as a read-only file system like it is normally configured.

The team that rooted the Fire tablet simply extracted the boot image from the device’s software update package provided by Amazon, and modified it to mount the system partition as writable. They then took this modified boot image and used it to boot the tablet, which they could do because of the unlocked state of the tablet’s bootloader.

The 2nd-gen Fire TV appears to have a similarly unlocked bootloader that will accept modified boot images. The problem is, we do not have the Fire TV’s original boot image to use as a base for the modified version. This is because Amazon switched to incremental updates on the new Fire TV. The boot images that can be extracted from the 2nd-gen Fire TV’s software updates are only patches and are incomplete. Without the original boot image, there is no way to achieve root with the same method as the Fire tablet. We don’t even know if the 2nd-gen Fire TV will accept a modified boot image in the same manner, since Amazon may be checking the boot image’s signature which would be rejected if it’s modified. The 1st-gen Fire TV and the Fire TV Stick are not vulnerable to this new possible root method, so those device are no closer to being rooted. The 2nd-gen Fire TV appears to accept custom boot images, since it does not reject fastboot commands, but we won’t know for sure until we have the stock boot image to use for testing.

Amazon can close this rooting avenue with a software update, so you might want to block updates once you’re happy with the state of bug fixes that Amazon is still releasing, if you want to root your 2nd-gen Fire TV. That said though, there is no way to know if we’ll ever get a complete original boot image, so you might be waiting forever. Theoretically, if someone is able to successfully hardware root the 2nd-gen Fire TV, they could then extract the boot image directly. That is likely the best bet to getting the original boot image, since it doesn’t seem like Amazon will ever provide a complete (non-partial) software update for the 2nd-gen Fire TV. I know of only one person who is attempting to hardware root the 2nd-gen Fire TV. Hopefully this new information about the bootloader will spur others to give it a shot.


  1. Tim says:

    Excellent analysis and update, Elias.

    I have been watching the XDA forums as of late and there seems to be a renewed interest in rooting the AFTV 2. Hearing that the bootloader appears to be partially unlocked gives me hope that those of us wishing to tinker with the bootloader will be able to in the future.

    Due to the 7″ Fire tablet being rooted, I am thinking of picking one up. At that cost point and the ability to root it, it would almost seem foolish not to consider it a solid option to buy.

    I am not sure about other readers here, but I would really love to see any updates posted if someone does manage to root the AFTV 2.

    • jim says:

      BTW wha does rooting offer you that sideloading apps to the ftv2 doesnt?

      • LG says:

        You can install an adblocker. You can play with xposed. You can add a custom recovery. You can add your own launcher. You can play with google play. A big etcetera

      • clocks says:

        Personally, I’ve never felt the need/desire to root.

        • ZeroDays says:

          You’re making your device vulnerable to all sort of attack.
          As far as root account is concerned, we never login to our servers with root account.

          Side/Front loading sounds good to me ;-)

          • h2testw says:

            Don’t be ridiculous, no on wants to attack your streaming box. Just like in linux, you still need to confirm root access.

          • Vulcan195 says:

            You are right. One has to allow root access – kinda like Windiws 7 asking our permission to install a program. But do we really know if we should trust an APK we downloaded via a link provided by a stranger in a forum?
            Hackers are not interested in streaming boxes but they would like to be sitting there since its on the same network as all your other household computers !!
            Only root it if you are not sharing the network with other devices.
            Does anyone know if the Amazon password that’s saved in the FireTV can be exposed? That would open up additional risks.

          • H.E.C. says:

            The password is not stored in FTV – your FTV Serial Number is stored at Amazon servers during purchase or (re-)activation of the FTV – all done via HTTPS.

      • rotorooter says:

        You can mount different file system network drives with root.

      • Tim says:

        I think others have noted what I would say an advantage would be. It all comes down to control and the ability to install apps that do require root (E.g. Adaway, Xprivacy, etc.)

        I am a person who likes to tinker with such things so I understand the limitations and drawbacks to doing so. As others have noted this could potentially be a risky operation (not to mention you could brick your device if rooting is done improperly), but the benefits for me outweigh the risks.

        To each their own, but root would essentially give me full control over my AFTV 2. If a custom ROM is made for it, I would love to give it a go if it offered features not found in the stock software.

Leave a Reply

Your email address will not be published. Required fields are marked *