A group that goes by the name Exploitee.rs is claiming to have rooted the Amazon Fire TV Cube and Amazon Fire TV 3 (pendant). The exploit, colorfully named FireFU, has not yet been verified to work by anyone outside of the group, but their explanation of the exploit and their instructions are quite thorough, so there isn’t any reason to believe that their claims aren’t genuine. Unfortunately, the rooting method they’ve come up with is unlikely to be performed by many people because it relies on using a microcontroller, such as an Arduino or Teensy board, to force the Fire TV Cube or Fire TV 3 to enter a firmware upgrade mode by communicating over their HDMI connection.
This new rooting method relies on two separate vulnerabilities that work together to allow the user to run unsigned code that roots the device. The first vulnerability uses the HDMI port’s Display Data Channel (DDC), which is a communication channel that allows two devices to talk to one another over the HDMI connection. The group discovered that, by sending a specific command over this HDMI communication channel, it causes the Amlogic CPU in both the Fire TV Cube and Fire TV 3 to enter Device Firmware Upgrade (DFU) mode, which is a state where the streaming player’s firmware can be modified. Both devices use the exact same Amlogic CPU, and this discovery is specific to Amlogic CPU, so it’s unlikely to work on other Fire TV models, such as the new Fire TV Stick 4K, which uses a MediaTek CPU.
It is this first step that likely makes this rooting method unachievable by most people because in order to send the HDMI signal that puts the device into DFU mode, a microcontroller is used and connected to the Fire TV device’s HDMI port. The creators of this rooting method have successfully executed the exploit using an Arduino Due board and a Teensy 3 board, but any microcontroller that can provide an I2C bus should also work.
After putting the Fire TV Cube or Fire TV 3 into DFU mode, the device is primed for new firmware, but it’s still not possible to load custom firmware because its bootloader is locked, which means it will only accept firmware that was created by Amazon. This is where the second vulnerability comes in. The rooting method causes a heap overflow that modifies the device’s memory, which tricks it into thinking its bootloader is unlocked. With a temporarily unlocked bootloader, it’s just a matter of using Android’s regular fastboot utility to flash a new boot image and new recovery image that roots the device.
Theoretically, if a method were found that puts the streaming device into DFU mode without the need of a microcontroller board, it would be possible to root the device using only a computer. Unless that happens, this rooting method will probably remain viable by only a small number of diehard enthusiasts, much like the eMMC hardware rooting method. Additionally, without a widespread and easily achievable rooting method, it’s unlikely that the Fire TV Cube and Fire TV 3 will see the same kind of pre-rooted ROM and custom recovery support that the Fire TV 1, Fire TV 2, and Fire TV Stick 1 have seen.