Install Additional TLS Root CA's on Amazon Fire TV

Installing additional Root Certificate Authorities on the Amazon's Fire TV is a simple process so long as you have the correct tooling. First connect to the Fire TV using ADB debugging, then upload the certificate files to the Fire TV, and finally run an action to install them.

Requirements

  • Amazon Fire TV
  • Amazon Account Credentials
  • Android Debug Bridge (ADB)
  • Certificate(s) in PEM format

For the purpose of this guide we will install the TDMC/Pacy World, LLC. root CA's.

Install Android Debug Bridge

Download the Android Debug Bridge software for your operating system from the platform tools download site.

Extract the ZIP archive to a folder on your computer.

Open a console window, and cd to that directory. If you are on Windows you can use the Windows command prompt (cmd).


Enable ADB Debugging on Fire TV

If this is the first time you are connecting to the Fire TV using ADB you will probably need to enable ADB Debugging. Go into the Settings and select My Fire TV.

Go into the Developer options.

Highlight ADB debugging and press to switch it to ON.

Get your Fire TV IP Address

To find out what IP address is assigned to your Fire TV go into the Settings and select My Fire TV.

Select About.

Highlight Network to see the information.

The IP address of our Fire TV is 192.168.0.88. Your IP may or may not be completely different.

Connect to you Fire TV

Return to the console window and run the command adb connect x.x.x.x where 'x.x.x.x' is the IP address of your Fire TV. For example on Windows you will do:

> adb connect 192.168.0.88
* daemon not running; starting now at tcp:5037
* daemon started successfully

If you receive a failed to authenticate error, it means you need to accept the incoming connection from your Fire TV.

failed to authenticate

Look on your TV and approve the incoming connection. Optionally check the box to remember your selection ("Always allow from this computer").

Try to reconnect by disconnecting and reconnecting.

>adb disconnect 192.168.0.88
disconnected 192.168.0.88
>adb connect 192.168.0.88

Upon success the adb command will show that it has connected.

connected to 192.168.0.88:5555

If you want to verify that you are connected. You can show a list of all connected devices by using the adb devices command.

>adb devices
List of devices attached
192.168.0.88:5555       device

Upload The Certificate

Download your certificate(s) in PEM format (*.pem or *.crt) and make sure you are using only a single certificate per file.

If you are installing The TDMC/Pacy World, LLC. root CA's. Click the links to download the individual certificates.

Save your certificates to the same folder you extracted the ADB platform tools. This will make it easier to reference the files from the command line.

Return to the console window and use the adb push command to upload the certificate to the Fire TV. The command requires a source file (your certificate) and a temporary destination directory (on the Fire TV). For example, lets upload the first certificate file (ca-pacyworld.com.crt) to the Downloads folder on the Fire TV.

adb push ca-pacyworld.com.crt /storage/emulated/0/Download

Replace ca-pacyworld.com.crt with your certificate filename. A successful upload will return the following result:

ca-pacyworld.com.crt: 1 file pushed, 0...ipped. 6.4 MB/s (1178 bytes in 0.000s)

Repeat the command for any additional certificate files you have

Install the Certificate

With the certificate files now present on the Fire TV, we can open them using the adb shell am start command. We will launch a "android.intent.action.VIEW" activity that will provide us with the option to install the certificate. There are 3 switches that are going to be passed. The activity to run (-a), the file to view (-d), and the type of file that is being opened (-t). The complete command will look like this:

adb shell am start -a android.intent.action.VIEW -d "file:///storage/emulated/0/Download/ca-pacyworld.com.crt" -t "application/x-x509-ca-cert"

Once again replace ca-pacyworld.com.crt with the name of your certificate file. If the action launches successfully, you'll see something like this in your console:

Starting: Intent { act=android.intent.action.VIEW dat=file:///storage/emulated/0/Download/ca-pacyworld.com.crt typ=application/x-x509-ca-cert }

Your Fire TV will have something popup on the screen asking you to name the certificate.

Using the remote press to enter the dialog to type a name.

Enter a descriptive name for the certificate using your preferred input method. Alternatively we can send text from ADB using adb shell input text to save effort if all you have is the remote.

adb shell "input keyboard text 'Pacy World Legacy Root CA'"

Note the use of single quotes around the text we are sending and the double quotes around the shell command. In a moment the text will be sent to the Fire TV.

Highlight and press Next to save your input.

Using your remote ensure the Credential Use: field says "VPN and apps". Then navigate to the OK button and press to continue.

You will be prompted to verify your Amazon password. Press OK to continue.

Use your remote to select the fields and fill in the information.

Press down twice to highlight the Email field. Enter your email or phone as requested. Then press Submit. You may also use the send text command from ADB to save effort.

When prompted enter your password and press Submit.

Using your remote press down (once or twice) to highlight the Sign-In button. You may or may not run into a situation where you will be unable to 'press' the button. This is a known bug with Fire TV OS, but thankfully it can be worked around using ADB.

Instead of highlighting the Sign-in button. Press up on the remote twice to highlight the password field.

Return to the ADB console window and use the keyevent command to send an "ENTER" keystroke (66).

adb shell input keyevent 66

There won't be any output from the command, but if you have the password field correctly selected, the sign-in form will be submitted. Towards the bottom of your screen you'll see a confirmation message saying the certificate was installed.

Repeat the entire process for any additional certificate files you have. Use the remaining Pacy World Root CA's as an opportunity to practice:

  • alt_ca-morante_root.crt
  • alt_ca-morante_intermediate.crt

Disconnect from Fire TV

Return to the console and issue the disconnect command. Then you may safely close out the console window.

>adb disconnect 192.168.0.88
disconnected 192.168.0.88
PacyWorld Button
Powered by Pacy