Warning: Blocking software updates via a Router may no longer work


I’ve been informed that sofware updates for the Amazon Fire TV and Fire TV Stick are now being distributed through the new domain https://amzdigital-a.akamaihd.net via HTTPS. Since none of my Fire TVs or Fire TV Sticks have received the new software update, I have not been able to confirm this change myself yet. If true, this means that blocking software updates via a router or a filtering service like OpenDNS may no longer work. Most routers are incapable of blocking secure SSL connections to an HTTPS domain due to the encrypted nature of the request. If you are relying solely on your router to block updates, you should immediately block updates on your Fire TV itself, as outlined in the first two methods of my blocking guide. With Fire OS 5, it is now possible to block updates on the Fire TV without needing root. I will update this post once I’ve been able to confirm this change myself.


I have now personally confirmed that software updates are now being served from the new domain, mentioned above, via HTTPS. I have updated my blocking guide accordingly, but be warned that many routers cannot block HTTPS requests. If you cannot use method 1 or 2 in my blocking guide, I suggest you use method 4 because DNS filtering services like OpenDNS can block HTTPS requests. To test if your router or OpenDNS is blocking the update file, you can try downloading this file and see if it fails to download or not.

  1. Daniel says:

    I’m blocking my 2 sticks via router and method 2, you think it may be possible that they black Kodi in a near future?

  2. Jack Green says:

    Do hosts file entries still work?

  3. Tim says:

    Well this is ominous.

    No pressure on getting us a recovery for the Fire Stick rbox…


  4. Bob says:

    I am getting an error when trying to block updates on my FireTv2 running 5.04

    shell@sloane:/ $ adb shell pm hide com.amazon.device.software.ota
    adb shell pm hide com.amazon.device.software.ota
    error: device offline
    255|shell@sloane:/ $

    Any suggestions or does that mean that they are already blocked?

    • AFTVnews says:

      You’re already in adb shell (indicated by the “shell@sloane” part at the beginning) so you just need to enter the “pm hide com.amazon.device.software.ota” part.

      You’re supposed to connect via adb and then run the command without needing to enter “adb shell” first separately.

  5. Tim says:

    I had that problem. Make sure Firestarter’s ADB options in settings are unchecked. Then go into Manage Applications and stop it, then clear the cache for good measure. Then toggle ADB Debugging off and back on in Developer Options. I rebooted it too for good measure.

    You can see the firmware version in the About section in… Settings I think.

  6. Tim says:

    Oooooh, wait, you made the same mistake I initially did.

    Once you have a shell (and you had it because it says “shell@sloane:/ $”), the commend is “pm hide com.amazon.device.software.ota”, not “adb shell pm hide com.amazon.device.software.ota”

    Elias’ instruction in the guide isn’t clear I think. The commands should be:

    adb connect (whatever the IP address is)
    adb shell
    pm hide com.amazon.device.software.ota

    Then you should get “Package com.amazon.device.software.ota new hidden state: true”

    Type exit to… well, exit adb shell, and you should be good to go.

  7. Bombo says:

    Install the update and what I can do now to not update anymore?

  8. Monami says:

    Going to https://amzdigital-a.akamaihd.net in a browser shows “not a file” error. After blocking with dnsmasq as with OTA addresses before, it times out and pings resolve to localhost. Blackholing with openwrt adblock package works as well.

    I don’t use it but wouldn’t opendns work similarly since even with https connection it still needs to resolve the address before connecting?

    • AFTVnews says:

      Yes, some routers and some DNS filtering services will probably still be able to block the reported new updates, but since I have not confirmed any of this myself and haven’t analyzed the new update protocol yet (since I haven’t received the update) I wanted to air on the side of caution with this post. I rather tell people their blocks don’t work and later clarify that they do work, instead of telling them they’re probably covered with their current blocks and have them find out when it’s too late that I was wrong. Once I have a box or stick requesting the update, I’ll be able to figure out which blocking methods still work. I don’t want to speculate on what blocking methods will work without being able to test them myself, but thanks for the suggestions.

      • Tim says:

        Thank you sincerely for these updates Elias, they’re very timely. I suspect that this period right now is when those that have control of their devices either take affirmative steps to keep it, or cede ultimate control of what can be done with it to Amazon forever.

        Dramatic sounding I know, but really, we’re actually losing significant abilities to do things on devices we paid for here.

  9. Robert says:

    I am blocking updates using fake host entries in my firewall box.
    for those who have such feature simply add the new address:
    Host IP:
    Hostname: amzdigital-a
    Domainname: akamaihd.net

  10. IrishBiker says:

    I can confirm that my NetGear D7000 using NetGears OpenDNS is now blocking https://amzdigital-a.akamaihd.net

  11. PharmerNate says:

    I turned my AFTV on to block updates via ADV on the AFTV itself (non-rooted) and I got a popup saying an update was available but chose to ignore it (First time I’ve ever gotten the option to ignore)

    I successfully (at least seemingly) hid the update service.

    Was I too late, or do you think it will work?

  12. WickedForte says:

    Well, hopefully my non rooted 5.0.4 doesn’t update! I just now blocked it in my opendns knowing it may not work. Been putting off root due to a lack of a resource called time to get it.

  13. phry says:

    You are mixing things up here.

    DNS is resolving the name example.com to an ip address.

    Only after that a http or https connection is established with that ip address. And only at that point the router cannot know exactly what web site the browser is requesting from the server at a certain ip when the request is https-encrypted.

    But the dns block occurs one step earlier: at the dns request. This request is answered by the router and always unencrypted (unless dnscrypt is used, which at the current point of time is not really actively used, but more a theoretical approach).
    So dns blocking will still work, as it occurs at this stage.

    If you need more explanation, drop me an email ;)

    • Monami says:

      Yes, as I mentioned above, dns based blocks work fine. The purpose of this article is more to warn of the new host domain and for users using inadequate “url filter” blocking with basic router software, which the previous blocking guide recommended, that filters after the dns request and cannot catch encrypted connection.

    • AFTVnews says:

      Thanks for the clarification. I originally included dns type blocks in my post just to be cautious since I hadn’t tested things myself yet. Now that I’ve received the update and had the chance to see what the update request looks like, I’ve updated the post and removed the warning about OpenDNS because, like you say, it still works to block updates.

  14. Roberto says:

    Can’t you just configure your fire tv to not update or to ask first?

  15. Joe says:

    What is the command to verify that updates have been blocked on the fire tv?

Leave a Reply

Your email address will not be published. Required fields are marked *


Get AFTVnews articles in your inbox!

Get an email anytime a new article is published.
No Spam EVER and Cancel Anytime.