I picked up a few rootable AFTVs recently and decided to share a folder I put together full of essential APKs to sideload when dealing with a new/rootable AFTV. If there's anything you feel should be added, let me know. Scan the files if you'd like. They're clean. I don't have the know-how or the need to infect apps with malicious files. They were all downloaded from the official website, or through the Google Play Store/Evozi. I included an older version of SuperSU for older versions of the AFTV software. Lastly, I use these for the AFTV Box. I'm not sure if these are the same exact files you should use with the AFTV Stick.
link: https://www.dropbox.com/s/i1ywqa0plernezh/essential_apks.zip?dl=0
list of APKs:
Android_Settings_v4.0.4.apk
de.robv.android.xposed.installer_v32_de4f0d.apk
eu.chainfire.supersu.v1.97.apk
eu.chainfire.supersu.v2.46.apk
GoogleAccountManager_4.0.3-239410.apk
GooglePlayservices_4.4.52(1174655-036).apk
googleplaystore.apk
googleservicesframework.apk
HDXPosed-1.3.apk
llama.apk
MarketHelper-1.1.apk
stericson.busybox.apk
towelroot.apk
edit: made a mistake in the description.
I like it, but why 2 versions of supersu?
ldeveraux said:
I like it, but why 2 versions of supersu?
Click to expand...
Click to collapse
I was having problems with the newer version of SuperSU opening on 51.1.0.1_user_510055620. The older version was working fine, so I included it.
Hi Everyone,
I saw that the AT&T 5.1 OTA had 4/6 Stagefright vulnerabilities patched already, so I thought I would try to make it work with the Developer Edition XT1053, in theory, this should also work with other models as well that are on at least Lollipop 5.1
NOTE: This process only works if you have root access, if you do not, you will not be able to apply this library
1) Use a File Explorer App, navigate to the system/lib folder and find the libstagefright.so file
2) Backup this file to your internal memory under sdcard, in case you need a stock version for when the official update comes
3) Download the AT&T libstagefright.so file (I attached the XT1053 5.1 stock version and the XT1058 5.1 AT&T version, in case you cannot backup yours)
4) Overwrite the libstagefright.so file and modify the permissions of the lib to match the other library files in the directory (Should be rw-r--r--)
5) Open the Stagefright detector app and run it, you should now be 4/6 vulnerabilities patched
This might seem like a very dumb question but I'll ask anyway: Why wouldn't this work for 4.4 or 4.2?
I have the XT1058 with 4.2.2 and I would like to give it a try, unless it may cause bricking.
Corsario_Negro said:
This might seem like a very dumb question but I'll ask anyway: Why wouldn't this work for 4.4 or 4.2?
I have the XT1058 with 4.2.2 and I would like to give it a try, unless it may cause bricking.
Click to expand...
Click to collapse
The .so static libraries are compiled with a particular version of Android in mind (in this case 5.1), which means that it unfortunately couldn't work on earlier versions of android
mastarifla said:
The .so static libraries are compiled with a particular version of Android in mind (in this case 5.1), which means that it unfortunately couldn't work on earlier versions of android
Click to expand...
Click to collapse
I see. Guess I'll have to upgrade if I want this bug gone from my phone.
Security path is of june 2017. ro.build.version.security_patch=2017-06-01
We can try all exploits which came after that.
So far not able to find any exploit for tank, I'm sharing the latest bin and extract so we can collectively find some.
Drive Link
Succeeded with this exploit https://www.xda-developers.com/janus-vulnerability-android-apps/.
Able to modify and update system apps and gain system app privilege.
Script used > https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156
i have only tested this on tank since i don't have other devices. Theoretically it should also work on all fire devices which don't have latest security patch.
install this apk to block installing new update from amazon. it will still download the ota bin file for you to experiment, but the ota install will fail as the install code is removed.
I'm not that expert so can you clarify for me? Can you use this exploit to add supersu or any other root method?
I have a US fire TV 3, a US FireTvStick 2 and an italian FireTvStick 2 Basic edition. Can I test this on any of them?
EDIT: All of them have updates blocked on my router. Can't rempember on what Os version they are though. But pretty sure a very early one.
EDIT#2: Reading better I guess it's not possible cause the exploit can only modify SYSTEM APPS permissions? Not sure if a non system app installed by user crafted to install su binaries can work?
EDIT#3: Reading better I understood that if you craft a dex file makiing it look like a legitimate update of a high privileged system app you can inherit its privileges and execute your code. So maybe there are hopes. Thanks again for your effort. Really interesting.
Thanks and nice work.
puppinoo said:
I'm not that expert so can you clarify for me? Can you use this exploit to add supersu or any other root method?
I have a US fire TV 3, a US FireTvStick 2 and an italian FireTvStick 2 Basic edition. Can I test this on any of them?
EDIT: All of them have updates blocked on my router. Can't rempember on what Os version they are though. But pretty sure a very early one.
EDIT#2: Reading better I guess it's not possible cause the exploit can only modify SYSTEM APPS permissions? Not sure if a non system app installed by user crafted to install su binaries can work?
EDIT#3: Reading better I understood that if you craft a dex file makiing it look like a legitimate update of a high privileged system app you can inherit its privileges and execute your code. So maybe there are hopes. Thanks again for your effort. Really interesting.
Thanks and nice work.
Click to expand...
Click to collapse
As of now no super user, still looking for loop holes to use system permission to disable SELinux security.
Yes you can try installing. But if it fails, you will have to pull your system app and modify.
This apk is based on Fire OS 5.2.6.3 bin also works on Fire OS 5.2.6.2.
ranjeet choudhary said:
install this apk to block installing new update from amazon. it will still download the ota bin file for you to experiment, but the ota install will fail as the install code is removed.
Click to expand...
Click to collapse
Where does the downloaded OTA sit? Will this blocking app work for other Fire devices such as Fire tablets?
ranjeet choudhary said:
As of now no super user, still looking for loop holes to use system permission to disable SELinux security.
Yes you can try installing. But if it fails, you will have to pull your system app and modify.
This apk is based on Fire OS 5.2.6.3 bin also works on Fire OS 5.2.6.2.
Click to expand...
Click to collapse
I researched Fire system app permissions a while ago, see this post https://forum.xda-developers.com/showpost.php?p=75226706&postcount=65
You can use a script like this to dump info for all system apps, and then look through the output:
Code:
for p in `pm list package -s | ./busybox awk -F"package:" '{print $2}'`; do echo -n "$p: "; dumpsys package $p ; done
(this requires that you upload 'busybox' to /data/local/tmp, and run it there)
What I observed is that SuperSu adds a whole new level of permissions to the system (a giant hole, if you will). None of the existing apps have that level of access. Of the existing system apps, it seemed that devicesoftwareota had some of the juicer permissions, which that still is not much. All it effectively does is that it grabs the update bin from the Internet, sticks it to a designated directory, and reboots to recovery which will continue the update. This can already be achieved on tablets via the sideloading option in recovery. I don't recall I spotted an existing app that could read the whole /data directory, as to enable backups in a simple format.
I've attached the output for devicesoftwareota for FireHD 10 2017, but that should be similar to the Fire stick.
Anyway, please do share if you find anything good!!!
ranjeet choudhary said:
Security path is of june 2017. ro.build.version.security_patch=2017-06-01
We can try all exploits which came after that.
So far not able to find any exploit for tank, I'm sharing the latest bin and extract so we can collectively find some.
Drive Link
Click to expand...
Click to collapse
Good job! I have not seen the bin file available elsewhere - Amazon obfuscated the links to it quite well.
Just for kicks, I unpacked it, and installed com.amazon.tv.launcher on top of the one I had. So I now have an updated launcher:
Code:
Package [com.amazon.tv.launcher] (2b2540ce):
userId=32072 gids=[3003, 1028, 1015, 3002]
pkg=Package{c86435c com.amazon.tv.launcher}
codePath=/data/app/com.amazon.tv.launcher-1
versionCode=600612610 targetSdk=22
versionName=6.0.0.6-126
...
Hidden system packages:
Package [com.amazon.tv.launcher] (3f5557eb):
userId=32072 gids=[]
pkg=Package{22e23948 com.amazon.tv.launcher}
codePath=/system/priv-app/com.amazon.tv.launcher
versionCode=573001710 targetSdk=22
versionName=5.7.3-17
I may try your devicesoftwareota.apk at some point too.
bibikalka said:
Where does the downloaded OTA sit? Will this blocking app work for other Fire devices such as Fire tablets?
I researched Fire system app permissions a while ago, see this post https://forum.xda-developers.com/showpost.php?p=75226706&postcount=65
You can use a script like this to dump info for all system apps, and then look through the output:
Code:
for p in `pm list package -s | ./busybox awk -F"package:" '{print $2}'`; do echo -n "$p: "; dumpsys package $p ; done
(this requires that you upload 'busybox' to /data/local/tmp, and run it there)
What I observed is that SuperSu adds a whole new level of permissions to the system (a giant hole, if you will). None of the existing apps have that level of access. Of the existing system apps, it seemed that devicesoftwareota had some of the juicer permissions, which that still is not much. All it effectively does is that it grabs the update bin from the Internet, sticks it to a designated directory, and reboots to recovery which will continue the update. This can already be achieved on tablets via the sideloading option in recovery. I don't recall I spotted an existing app that could read the whole /data directory, as to enable backups in a simple format.
I've attached the output for devicesoftwareota for FireHD 10 2017, but that should be similar to the Fire stick.
Anyway, please do share if you find anything good!!!
Click to expand...
Click to collapse
You can find the ota files here
/sdcard/Android/data/com.amazon.device.software.ota/
Haven't tested on Fire tablets, you can try and let us know.
ranjeet choudhary said:
You can find the ota files here
/sdcard/Android/data/com.amazon.device.software.ota/
Haven't tested on Fire tablets, you can try and let us know.
Click to expand...
Click to collapse
is there a way to get a 5.2.6.3 flashable zip for the fire tv 2 box from this?
Which launcher do you have now? can we replace that launcher with any other launcher? I could code a gui for drag/drop so we add the apk then the exploit generates the apk. Of course the tool would tell us which system apps are available and with what they could be replaced. Another interesting question is would we be able to remove the bloatware by adding replacing system apps with empty apks?
bibikalka said:
Good job! I have not seen the bin file available elsewhere - Amazon obfuscated the links to it quite well.
Just for kicks, I unpacked it, and installed com.amazon.tv.launcher on top of the one I had. So I now have an updated launcher:
Code:
Package [com.amazon.tv.launcher] (2b2540ce):
userId=32072 gids=[3003, 1028, 1015, 3002]
pkg=Package{c86435c com.amazon.tv.launcher}
codePath=/data/app/com.amazon.tv.launcher-1
versionCode=600612610 targetSdk=22
versionName=6.0.0.6-126
...
Hidden system packages:
Package [com.amazon.tv.launcher] (3f5557eb):
userId=32072 gids=[]
pkg=Package{22e23948 com.amazon.tv.launcher}
codePath=/system/priv-app/com.amazon.tv.launcher
versionCode=573001710 targetSdk=22
versionName=5.7.3-17
I may try your devicesoftwareota.apk at some point too.
Click to expand...
Click to collapse
Anyone have any pre-configured apk's available to replace the amazon launcher with an alternative using the janus exploit?
I cannot get the janus exploit to work with windows + phyton 2.7
Code:
cd_start_addr = struct.unpack("<L", apk_data[cd_end_addr+16:cd_end_addr+20])[0]
struct.error: unpack requires a string argument of length 4
Will need to try linux, mac, or python 3.0
juanse254 said:
Which launcher do you have now? can we replace that launcher with any other launcher? I could code a gui for drag/drop so we add the apk then the exploit generates the apk. Of course the tool would tell us which system apps are available and with what they could be replaced. Another interesting question is would we be able to remove the bloatware by adding replacing system apps with empty apks?
Click to expand...
Click to collapse
Im using appstarter. Yes you can replace launcher. And Yes its possible to replacing system apps with empty apks.
You can try the attached dummy apk which is replacing com.amazon.tv.oobe.apk. oobe is responsible for triggering default launcher and apply any locks by amazon to block the device and also prevent BOOT_COMPLETED. This dummy apk kills the oobe so that we can listen for BOOT_COMPLETED in other apps and replace launcher.
ranjeet choudhary said:
Im using appstarter. Yes you can replace launcher. And Yes its possible to replacing system apps with empty apks.
You can try the attached dummy apk which is replacing com.amazon.tv.oobe.apk. oobe is responsible for triggering default launcher and apply any locks by amazon to block the device and also prevent BOOT_COMPLETED. This dummy apk kills the oobe so that we can listen for BOOT_COMPLETED in other apps and replace launcher.
Click to expand...
Click to collapse
Sigh
This looked to be the best chance I had at killing the Amazon TV Launcher on my FireTV 2 (5.2.6.2) but it said it was already installed when I tried (adb install out1.apk)
It 'succeeded' when I forced a reinstall (adb install -r out1.apk) but on a reboot the TV Launcher came up
Anything else I can try?
ranjeet choudhary said:
install this apk to block installing new update from amazon. it will still download the ota bin file for you to experiment, but the ota install will fail as the install code is removed.
Click to expand...
Click to collapse
can i use this to stop my tank 5.2.6.3 from updating to 5.2.6.7?
have router blocking working (with some...tinkering), but would like to be able to connect to other networks without worry of update.
A request
Hello,
I'm sure you have noticed the flurry of successfully rooted Fire TV devices lately, including the Fire TV Stick 2, Fire TV 3 and Cube.
Which would seem to make this exploit now obsolete. But not your modified DeviceSoftwareOTA.apk, which I used on my stick to block updates until I recently rooted it.
At current, the Fire TV Stick 2 has the most up to date software. But the Cube and Pendant are behind on updates because there is no way to download them without
some risk of the possibility of losing root for which the exploit has now been patched. But a modified DeviceSoftwareOTA.apk for these devices that would download the
update and not initiate an install would be an elegant solution. Allowing us to pull the update from the device and install it in a different manner.
This type of modification is unfortunately beyond my skill level, so I have attached a link to the current apk from one of these devices.
And am asking, if you have time, could you please have a look at it. And tell me if yours would work in its place, or modify it as you did yours by removing the install code.
Your help would be greatly appreciated.
Thanks.
DeviceSoftwareOTA.apk
2WhlWzrd said:
But a modified DeviceSoftwareOTA.apk for these devices that would download the
update and not initiate an install would be an elegant solution. Allowing us to pull the update from the device and install it in a different manner.
Click to expand...
Click to collapse
This exploit was patched above 5.2.6.3., if your FTV3/Cube is at a higher firmware, forget about this...
2WhlWzrd said:
Hello,
I'm sure you have noticed the flurry of successfully rooted Fire TV devices lately, including the Fire TV Stick 2, Fire TV 3 and Cube.
Which would seem to make this exploit now obsolete. But not your modified DeviceSoftwareOTA.apk, which I used on my stick to block updates until I recently rooted it.
At current, the Fire TV Stick 2 has the most up to date software. But the Cube and Pendant are behind on updates because there is no way to download them without
some risk of the possibility of losing root for which the exploit has now been patched. But a modified DeviceSoftwareOTA.apk for these devices that would download the
update and not initiate an install would be an elegant solution. Allowing us to pull the update from the device and install it in a different manner.
This type of modification is unfortunately beyond my skill level, so I have attached a link to the current apk from one of these devices.
And am asking, if you have time, could you please have a look at it. And tell me if yours would work in its place, or modify it as you did yours by removing the install code.
Your help would be greatly appreciated.
Thanks.
DeviceSoftwareOTA.apk
Click to expand...
Click to collapse
Thanks for the update on root, i totally missed it. this opens a whole lot of modification possible. Let me check if the exploit still works. Even if it doesn't work, with root we can force replace with modified apk.
I read some time ago that there will be a new update that will block Kodi is this an update that could do this ?
ranjeet choudhary said:
Thanks for the update on root, i totally missed it. this opens a whole lot of modification possible. Let me check if the exploit still works. Even if it doesn't work, with root we can force replace with modified apk.
Click to expand...
Click to collapse
Thank you, for your reply.
I thought that it should be possible to force this with root, these devices have Fire OS 6 — Based on Android 7.1 (API level 25).
So I don't think the vulnerability would apply, would it? Unlike the 2nd generation stick with Fire OS 5 — Based on Android 5.1 (API Level 22).
But there still may be hope.
We are rooted with Magisk and I have installed the Magisk port of Xposed. And there is HDXposed, which is said to be able to
disable the signature check. But I don't see anyone using it with Fire OS 6 yet, only Fire OS 5 mods. So I don't know it will work anyway.
I shall patiently await your reply.
Thanks again for your efforts.
[deleted]
Hi,
I would like to use my FireHD 10 tablet with as few connections to Amazon as possible. I have noticed that you can download the stock system updates as a .bin file directly from Amazon however I haven't found a way to install them.
https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE
A few tutorials mention booting into recovery and sideloading it there but unfortunately I don't have a sideloading option with my FireHD10.
Is there any other way to install this update? Can you place it an a certain directory so the online updater recognizes this file?
If I remember correctly, with the original Fire HD7, if you copied the update.bin file to the root directory and rebooted it would install the update. I don't know if this works on current models.
anyone23 said:
Hi,
I would like to use my FireHD 10 tablet with as few connections to Amazon as possible. I have noticed that you can download the stock system updates as a .bin file directly from Amazon however I haven't found a way to install them.
https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE
A few tutorials mention booting into recovery and sideloading it there but unfortunately I don't have a sideloading option with my FireHD10.
Is there any other way to install this update? Can you place it an a certain directory so the online updater recognizes this file?
Click to expand...
Click to collapse
To access OTA dashboard. You can tap the search box on Fire launcher, type ;dx and hit enter, and select OTA Dashboard.