Amazon released the Fire TV Cube earlier this year, as a 4K-capable streaming device with far-field microphones (for responding to Alexa responses) and an IR transmitter (for turning devices on/off). Exploitee.rs has now released a root method for the Fire TV Cube and the 2017 Fire TV Stick, which relies on sending commands through the HDMI port and bypassing code verification.

The full exploit details can be found at the source link, but put simply, the rooting method relies on two separate hacks. First, the Fire TV has to be put into DFU (Device Firmware Update) Mode by sending a specific string of text over the I2C bus on the HDMI port. This part requires an Arduino board with an HDMI header.

Unfortunately, only code signed by Amazon can be executed in this mode. To run unsigned code on the Fire TV, thus allowing root status to be achieved, the team wrote a script that overloads the unit's heap allocation. Here's the full explanation from the blog post:

Specifically, by providing a high enough value to the number of entries in the RSV table (rsv->count on line 490), we are able to overflow the heap allocation and obtain a new write primitive. Through this primitive (and all within the exploit’s payload) we modify values in memory for U-Boot tricking the device into believing it is unlocked and disabling all signature verification. Due to the exploit being ran during each boot, the U-Boot code needs to only be patched in memory. However, because the exploit is now being stored in the original RSV location in flash, we must move the old RSV values to a new area and fixup any addresses pointing to the previous location. After a reboot and successful exploitation, the Fire TV device will be able to run unsigned code.

From there, the team was able to use Fastboot to flash a custom recovery and install Magisk. The full instructions are now available on the Exploitee.rs wiki, so if you have a Linux PC and an Arduino board (with an HDMI breakout), you can give it a shot.

Source: Exploitee.rs