I’ve been informed that sofware updates for the Amazon Fire TV and Fire TV Stick are now being distributed through the new domain
or a filtering service like OpenDNS may no longer work. Most routers are incapable of blocking secure SSL connections to an HTTPS domain due to the encrypted nature of the request. If you are relying solely on your router to block updates, you should immediately block updates on your Fire TV itself, as outlined in the first two methods of my blocking guide. With Fire OS 5, it is now possible to block updates on the Fire TV without needing root. I will update this post once I’ve been able to confirm this change myself.
I have now personally confirmed that software updates are now being served from the new domain, mentioned above, via HTTPS. I have updated my blocking guide accordingly, but be warned that many routers cannot block HTTPS requests. If you cannot use method 1 or 2 in my blocking guide, I suggest you use method 4 because DNS filtering services like OpenDNS can block HTTPS requests. To test if your router or OpenDNS is blocking the update file, you can try downloading this file and see if it fails to download or not.
I’m blocking my 2 sticks via router and method 2, you think it may be possible that they black Kodi in a near future?
Do hosts file entries still work?
Well this is ominous.
No pressure on getting us a recovery for the Fire Stick rbox…
I am getting an error when trying to block updates on my FireTv2 running 5.04
shell@sloane:/ $ adb shell pm hide com.amazon.device.software.ota
adb shell pm hide com.amazon.device.software.ota
error: device offline
Any suggestions or does that mean that they are already blocked?
You’re already in adb shell (indicated by the “shell@sloane” part at the beginning) so you just need to enter the “pm hide com.amazon.device.software.ota” part.
You’re supposed to connect via adb and then run the command without needing to enter “adb shell” first separately.
I had that problem. Make sure Firestarter’s ADB options in settings are unchecked. Then go into Manage Applications and stop it, then clear the cache for good measure. Then toggle ADB Debugging off and back on in Developer Options. I rebooted it too for good measure.
You can see the firmware version in the About section in… Settings I think.
Oooooh, wait, you made the same mistake I initially did.
Once you have a shell (and you had it because it says “shell@sloane:/ $”), the commend is “pm hide com.amazon.device.software.ota”, not “adb shell pm hide com.amazon.device.software.ota”
Elias’ instruction in the guide isn’t clear I think. The commands should be:
adb connect (whatever the IP address is)
pm hide com.amazon.device.software.ota
Then you should get “Package com.amazon.device.software.ota new hidden state: true”
Type exit to… well, exit adb shell, and you should be good to go.
So the PM hide command works on unroofed devices and is just like the PM Disable command?
Yes, this is the method you use for unrooted devices (that are running Fire OS 5) to block updates.
Install the update and what I can do now to not update anymore?
Going to https://amzdigital-a.akamaihd.net in a browser shows “not a file” error. After blocking with dnsmasq as with OTA addresses before, it times out and pings resolve to localhost. Blackholing with openwrt adblock package works as well.
I don’t use it but wouldn’t opendns work similarly since even with https connection it still needs to resolve the address before connecting?
Yes, some routers and some DNS filtering services will probably still be able to block the reported new updates, but since I have not confirmed any of this myself and haven’t analyzed the new update protocol yet (since I haven’t received the update) I wanted to air on the side of caution with this post. I rather tell people their blocks don’t work and later clarify that they do work, instead of telling them they’re probably covered with their current blocks and have them find out when it’s too late that I was wrong. Once I have a box or stick requesting the update, I’ll be able to figure out which blocking methods still work. I don’t want to speculate on what blocking methods will work without being able to test them myself, but thanks for the suggestions.
Thank you sincerely for these updates Elias, they’re very timely. I suspect that this period right now is when those that have control of their devices either take affirmative steps to keep it, or cede ultimate control of what can be done with it to Amazon forever.
Dramatic sounding I know, but really, we’re actually losing significant abilities to do things on devices we paid for here.
I am blocking updates using fake host entries in my firewall box.
for those who have such feature simply add the new address:
Host IP: 127.0.0.1
I can confirm that my NetGear D7000 using NetGears OpenDNS is now blocking https://amzdigital-a.akamaihd.net
I turned my AFTV on to block updates via ADV on the AFTV itself (non-rooted) and I got a popup saying an update was available but chose to ignore it (First time I’ve ever gotten the option to ignore)
I successfully (at least seemingly) hid the update service.
Was I too late, or do you think it will work?
Tell me how you did it please
Well, hopefully my non rooted 5.0.4 doesn’t update! I just now blocked it in my opendns knowing it may not work. Been putting off root due to a lack of a resource called time to get it.
You are mixing things up here.
DNS is resolving the name example.com to an ip address.
Only after that a http or https connection is established with that ip address. And only at that point the router cannot know exactly what web site the browser is requesting from the server at a certain ip when the request is https-encrypted.
But the dns block occurs one step earlier: at the dns request. This request is answered by the router and always unencrypted (unless dnscrypt is used, which at the current point of time is not really actively used, but more a theoretical approach).
So dns blocking will still work, as it occurs at this stage.
If you need more explanation, drop me an email ;)
Yes, as I mentioned above, dns based blocks work fine. The purpose of this article is more to warn of the new host domain and for users using inadequate “url filter” blocking with basic router software, which the previous blocking guide recommended, that filters after the dns request and cannot catch encrypted connection.
Thanks for the clarification. I originally included dns type blocks in my post just to be cautious since I hadn’t tested things myself yet. Now that I’ve received the update and had the chance to see what the update request looks like, I’ve updated the post and removed the warning about OpenDNS because, like you say, it still works to block updates.
Can’t you just configure your fire tv to not update or to ask first?
There is no such option in Fire OS. Updates are not optional.
I use the method we both think enough not receive more updates? today I have the latest version 5.0.1
What is the command to verify that updates have been blocked on the fire tv?