[UNLOCK][ROOT][TWRP][UNBRICK] Amazon Echo Show 5 2nd Gen - 2021 (cronos)

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

[UNLOCK][ROOT][TWRP][UNBRICK] Amazon Echo Show 5 2nd Gen - 2021 (cronos)

Thread starter Rortiz2
Start date Dec 20, 2025

CURRENT RELEASE: amonet-cronos-v1.1.3.zip

Read this whole guide before starting.

THIS IS

ONLY for the 2nd gen Echo Show 5 (cronos) released in 2021 (C76N8S)!
For the 1st Gen Echo Show 5 (checkers), FOLLOW THIS THREAD INSTEAD.
This process carries a significant risk of permanently bricking your device if anything goes wrong. Proceed entirely at your own risk.

Neither I nor any contributors will be held responsible for any damage or malfunction resulting from following these instructions.

BEFORE ASKING WHETHER IT CAN BE PORTED TO ANOTHER ECHO DEVICE, READ THE Q&A SECTION TO UNDERSTAND WHY THIS METHOD ONLY WORKS ON THIS MODEL.

NOTE: To update to the current release if

you are already unlocked, just flash the ZIP in TWRP.

Requirements:

A Windows or Linux-based computer
A MicroUSB cable to connect the echo to the computer

Instructions:

If you wish to use the stock OS after the unlock, you MUST be registered onto your Amazon account, otherwise the OOBE will crash and you won't be able to complete the setup process. This means you'll be unable to use the stock Fire OS without restoring from a backup made before the unlock.
Download the latest amonet package from the attachments section of this post.
If you are using Windows, install the Kindle Fire Driver (or, if that doesn't work, install Google’s USB driver for ADB & Fastboot). Detailed installation steps will not be covered here, search online for guidance.
Extract the ZIP file and open the resulting folder. If you are using Linux, open a terminal window within the extracted directory.
If you are using Windows, double-click the fastbrick.bat script. If you are using Linux, run ./fastbrick.sh in the terminal.
Connect the device to the AC charger and hold all three buttons simultaneously until => FASTBOOT mode... appears on the screen.
Once in Fastboot mode, connect the device to the computer using a MicroUSB cable. Script should automatically detect the device.
When prompted, type "YES". Follow all on-screen instructions on both the computer and the device while the exploit executes.
DO NOT INTERRUPT THE PROCESS AFTER THE 10‑SECOND GRACE PERIOD, ANY INTERRUPTION WILL PERMANENTLY BRICK THE DEVICE.
Wait up to five minutes for the exploit to complete. The device will reboot into TWRP.
Once you're in TWRP, if you EVER want to go back to the STOCK Fire OS, you WILL need a backup. This is critical because the OOBE (initial setup) will crash after unlocking, making it impossible to set up a fresh Fire OS installation.
Run backup.bat if you're on Windows, or backup.sh if you're on Linux to create this backup. Store it in a safe location, this is your only way back to stock Fire OS.
This is optional, but I would really appreciate it, as it can help me add support for currently unsupported versions. In TWRP, without doing a factory reset and while keeping Fire OS installed, run the following command to pull the file and send it to me:
```
adb pull /data/data/com.amazon.device.software.ota/databases/updates.db
```

Restoring a backup:

As of now, there's no easy way to go back to Fire OS. While you can flash the stock firmware update package through TWRP and it will boot, you won't be able to get past the OOBE (initial setup) because it will crash.

This is why making a backup before proceeding is critical. This section assumes you've previously made a backup using the backup scripts when you first entered TWRP.

Extract the amonet zip if you haven't already and then, inside, run restore.bat if you're on Windows or restore.sh if you're on Linux.
The script will ask you to enter the path where your backup is stored. Provide the full path to the backup folder (the one containing data.ab, system.ab, and boot.ab), press enter, and it will restore your stock Fire OS.
If you can't get the script to work, you can always restore manually with ADB:
```
adb restore data.ab
adb restore system.ab
adb restore boot.ab
```
(make sure your device is in TWRP with the screen on and in the main menu before running these commands.)

Fully going back to FireOS:

This procedure will restore the device to its original state, reflash the stock firmware, and relock the bootloader.

This is a risky procedure and should only be used if you really want to go back to the stock OS or if you didn't make a backup beforehand.

You will be able to re-run the exploit again and unlock the bootloader if you wish

, but make sure to follow the procedure carefully as it risks a hard brick

Start by downloading the (separate) restore-stock-cronos.zip from the attachments of this post.
Extract the ZIP and open the folder with the resulting contents.
Reboot the device into TWRP by either using adb reboot recovery or by pressing and holding the Volume Up key while you connect the AC charger.
Once you're in TWRP, connect the device to the PC. Then, if you're on Windows, run restore-stock.bat or ./restore-stock.sh if you're on Linux.
The script will prompt you to select which version of Fire OS you wish to install. I STRONGLY RECOMMEND LEAVING THE DEFAULT AND RECOMMENDED ONE so you can run the exploit again in the future.
Wait for it to download and flash the firmware. Make sure not to interrupt the device at any point.
If everything went well, the device will reboot to Fire OS. Give it a few minutes to boot, since the first boot might take a while.

IMPORTANT NOTES:

Although bricking the device after unlocking is uncommon, this device lacks BROM USBDL access, so a brick can therefore be permanent and unrecoverable.

NEVER EVER modify the BOOTLOADER or any CRITICAL PARTITIONS (e.g., LK, Preloader, TZ). Doing so can PERMANENTLY BRICK your device, with NO POSSIBILITY OF RECOVERY.

Only flash stock firmware updates via TWRP, as it ensures that critical partitions are not modified or overwritten. Firmware packages are ZIP files, so simply renaming them from .bin to .zip should work without issues.

Part of the exploit resides in the first block of your recovery and boot partitions, so avoid flashing them directly from the OS using dd or any other root tools, as this can soft-brick your device.
Always use hacked fastboot mode or TWRP to flash or update boot images.

Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically. If neither TWRP nor a hacked fastboot is available, boot into stock (non‑hacked) fastboot mode and run the exploit again (Option 1).

The exploit remaps the volume buttons to switch between boot modes, so with it installed you can use them to select different boot options:

HACKED FASTBOOT mode: Access this mode by holding ONLY the Mute (Power) key after connecting the power source.
TWRP / RECOVERY mode: Enter this mode by holding ONLY the Volume Up key after connecting the power source.
Regular (stock) FASTBOOT mode: Enter this mode as usual by pressing all three keys simultaneously after connecting the power source.

Alternatively, you can use the scripts boot-recovery.sh and boot-fastboot.sh included in the ZIP. After connecting the device to your PC, these scripts should also force the device into FASTBOOT MODE or TWRP/RECOVERY mode.

For developers, UART access is available through the TP55 pad (RX). By default, kernel logs are not displayed to UART since this is disabled by LK.

However, with the exploit installed, you can forcefully enable them by flashing a custom MISC image. You can generate (and flash) this image using the following command(s):

dd if=/dev/zero of=misc-uart.bin bs=1 count=32
echo -ne "UART_PLEASE" | dd of=misc-uart.bin bs=1 seek=16 conv=notrunc
fastboot flash MISC misc-uart.bin

Contributors:

@Rortiz2
@k4y0z
@FieryFlames
@bengris32
@TheVancedGamer

Additional thanks to:

@xyz` - for making all this possible and releasing the original amonet exploit for karnak.

AntiEngineer - for helping me set up the development board on my unit, start the work, find the correct pins, and get UART working

alextrack2013 - for patching the Windows fastboot binaries and making the process work there!

@gilderchuck - for assisting with testing!

Source code:

(this is kept for archival purposes, not needed anymore)

Adding support for an unsupported versions:

If you’ve tried to run the script and were greeted with an unsupported firmware version error, and you can’t update to any of the supported versions, the only way to add support for your current version is to dump your current LK over UART using a variant of the exploit that has a ~30% success rate, so be prepared to be patient.
Requirements

A Windows- or Linux-based computer
A Micro-USB cable to connect the Echo to the computer
A soldering iron and a few 30-AWG wires (or similar)
A USB-to-TTL serial adapter (an Arduino Uno can also be used)

Instructions

Start by opening the device. I won’t go into much detail here, search for guides online if needed. The internal layout is very similar, if not identical, to the 1st-gen Echo Show 5.
Locate the TP55 test point on the board. This is the TX pin, from which you’ll read UART logs.
- Solder a wire to TP55
- Solder another wire to any GND point on the board (for example, a metal shield)
Connect the TX wire to the RX pin of your USB-to-TTL adapter, and connect GND to the adapter’s GND.
Download and extract the attached amonet-dump-lk.zip package.
Prepare and configure program to read UART logs. For Linux I recommend tio and for Windows PuTTY.
Set the baud rate to 921600 and make sure to save the UART output to a .txt file.
Boot the device into FASTBOOT mode by pressing the three buttons, then connect it to your PC.
Execute run.bat on Windows or run.sh on Linux, and follow the on-screen instructions.
Be aware: the exploit has a very low success rate and may take up to 50 attempts to succeed.

Most of the time it will crash or hang

If that happens, reboot the device back into FASTBOOT mode and try again
The goal is to obtain a raw (byte-level) dump of the currently installed LK image via UART.
Once successful, send me the resulting .txt file (@Rortiz2), and I’ll add support for your device.

A successful run will look like this:

[3260] [Cmd process]-[buf:download:06d00600]-[lenBuf:06d00600]^M
[3260] fb dump: 0x00000000, 0x00000000, 0x00000000, 0x00000000^M
[3260] fb dump: 0x00000000, 0x00000000, 0x00000000, 0x00000000^M
[6810] fb dump: 0x00000000, 0x00000000, 0x00000000, 0x00000000^M
[6820] [fastboot: command buf]-[flash:brick]-[len=11]^M
[6820] [fastboot]-[download_base:0x45000000]-[download_size:0x6d00600]^M
This is amonet-fastbrick by R0rt1z2
kicking watchdog
get_device = 0x4BD1FEF5
udelay = 0x4BD14951
found lk at 0x00001800
lk partition found at 0x00001800
read lk partition returned 0x00100000
=== LK DUMP START ===
D:588816880005DA2C00004B4C00000000
D:00000000000000000000000000000000
D:0000000000000000FFFFFFFFFFFFFFFF
D:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
D:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
D:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
.....
=== LK DUMP END===

Crashes will look like this:

[14040] undefined abort, halting
[14040] r0  0x4bd31320 r1  0x4bd99f10 r2  0x00000100 r3  0xffffeba0
[14040] r4  0x00000000 r5  0x4bd70220 r6  0x4bd731e4 r7  0x4bd701e0
[14040] r8  0x4bd701e0 r9  0x00000038 r10 0x4bd4da7f r11 0x4bd4db4f
[14040] r12 0x4bd99f10 usp 0x00000000 ulr 0x00000000 pc  0x4bd0039e
[14040] spsr 0x60000173
[14040]  fiq r13 0x4bd60400 r14 0x00000000
[14040]  irq r13 0x4bd69318 r14 0x4bd25fe8
[14040] *svc r13 0x4bd99f08 r14 0x4bd01f13
[14040]  und r13 0x4bd60374 r14 0x4bd2622b
[14040]  sys r13 0x00000000 r14 0x00000000
[14040] bottom of stack at 0x4bd99f08:
0x4bd99f08: 00000000 4bd01f13 00000000 00000000 |.......K........|
0x4bd99f18: 00000000 00000000 00000000 00000000 |................|
0x4bd99f28: 00000000 00000000 00000000 00000000 |................|
0x4bd99f38: 00000000 00000000 00000000 00000000 |................|
0x4bd99f48: 00000000 00000000 00000000 00000000 |................|
0x4bd99f58: 00000000 00000000 00000000 00000000 |................|
0x4bd99f68: 00000000 00000000 00000000 00000000 |................|
0x4bd99f78: 00000000 00000000 00000000 00000000 |................|

[ATF][    41.959524]=> wdt_kernel_cb_addr=0, error before WDT successfully initialized. cpu 0
[ATF][    41.960519]=> regs->pc : 0x4bd00298
[ATF][    41.961014]=> regs->lr : 0x0
[ATF][    41.961435]=> regs->sp : 0x1b95a3aef9ddeb77
[ATF][    41.962016]=> Informations: pstate=600001db, pc=4bd00298, sp=1b95a3aef9ddeb77
[ATF][    41.962964]regs->regs[1] = 4bd31320
[ATF][    41.963470]regs->regs[2] = 4bd99f10
[ATF][    41.963976]regs->regs[3] = 100
[ATF][    41.964429]regs->regs[4] = 4bcfef50
[ATF][    41.964935]regs->regs[5] = 0
[ATF][    41.965365]regs->regs[6] = 4bd70220
[ATF][    41.965872]regs->regs[7] = 4bd731e4
[ATF][    41.966378]regs->regs[8] = 4bd701e0
[ATF][    41.966884]regs->regs[9] = 4bd701e0
[ATF][    41.967390]regs->regs[10] = 38
[ATF][    41.967842]regs->regs[11] = 4bd4da7f
[ATF][    41.968359]regs->regs[12] = 4bd4db4f
[ATF][    41.968876]regs->regs[13] = 46c046c0
[ATF][    41.969393]regs->regs[14] = 0
[ATF][    41.969834]regs->regs[15] = 0
[ATF][    41.970276]regs->regs[16] = 0
[ATF][    41.970718]regs->regs[17] = 46c19a04
[ATF][    41.971235]regs->regs[18] = 4bd69318
[ATF][    41.971752]regs->regs[19] = 0
[ATF][    41.972193]regs->regs[20] = 4bd99f18
[ATF][    41.972710]regs->regs[21] = 0
[ATF][    41.973152]regs->regs[22] = 4bd60400
[ATF][    41.973668]regs->regs[23] = 4bd003a4
[ATF][    41.974185]regs->regs[24] = 4bd60400
[ATF][    41.974702]regs->regs[25] = 0
[ATF][    41.975144]regs->regs[26] = 0
[ATF][    41.975585]regs->regs[27] = 0
[ATF][    41.976027]regs->regs[28] = 0
[ATF][    41.976468]regs->regs[29] = 0
[ATF][    41.976910]regs->regs[30] = 4bd60400
[ATF][    41.977427]regs->regs[31] = 0
[ATF][    41.977868]=> wait until reboot...

Attachments

Last edited: Monday at 8:09 PM

I'm unlocked, now what?

You might be wondering what to do now that you’ve unlocked your Echo Show 5. While I can’t provide guidance on every wild idea you might have, I can offer some basic pointers.

If you want to get rid of FireOS, you can give a try to LineageOS 18.1, based on Android 11.

Getting a rooted shell

Reboot the device into TWRP, then download the attached boot-root.zip and copy it to the internal storage.
Install the ZIP, and then reboot to the OS. ADB should now be enabled, and the shell should default to root (#).

Installing APKs

By default, on some versions, FireOS blocks the installation of third-party apps via ADB. This restriction can be bypassed with ADB and root access. After rooting your device and booting into FireOS, simply run the following command(s):

adb shell
settings put global disable_bouncer 1

You should now be able to install custom APKs using the following command: adb install app-release.apk

Installing custom Launchers

After flashing the boot image that gives you a rooted shell, install any launcher of your will and then run the following command(s) to disable the default launcher (persistently, across reboots):

adb remount
adb shell
mv /system/priv-app/com.amazon.paladin/com.amazon.paladin.apk /system/priv-app/com.amazon.paladin/
com.amazon.paladin.bak
reboot

This should force your custom launcher to show up. To restore this, simply run:

adb remount
adb shell
mv /system/priv-app/com.amazon.paladin/com.amazon.paladin.bak /system/priv-app/com.amazon.paladin/com.amazon.paladin.apk
reboot

Attachments

Last edited: Dec 20, 2025

Supplementary information / QA:

Q: How do I go back to the original OS?
A:
If you followed the WHOLE guide, you must have created a backup with the provided scripts. The easiest way to return to stock is to restore your backup, since as you might know already, OOBE crashes after unlocking the device.

If you failed to create a backup (be it because you didn't bother reading the whole guide or because you had any other trouble), you can fully restore the stock OS and relock the bootloader by following the "Fully going back to Fire OS" section of the OP.

Q: Can this be ported to other Echo Show devices?

A: Most likely not. This isn’t feasible for a few reasons. First, the exploit targets MediaTek chipsets, while many Echo Show models use different SoCs. Second, the vulnerability was patched in March 2019, so only devices released around 2019-2021 are technically exploitable.

Q: Why should I unlock my Echo Show?
A:
That’s up to you, but I recommend it if you want to customize the device. Unlocking lets you replace the launcher, install custom apps (Home Assistant dashboards, YouTube, etc.), and even play games. I exploited this mostly for fun, I don’t have a killer practical use for the device, I just enjoy tinkering.

Q: Can Amazon patch this vulnerability?

Yes, Amazon can patch the vulnerability and will likely do so promptly. If you plan to test or exploit vulnerable devices, be aware that the window of opportunity may be short. Per Amazon’s official documentation, this device is covered by security updates through 2029.

Q: Can this permanently brick the device?

Yes, the exploit flashes many low-level components (LK, PL, TEE), and if the unlocking or flashing process fails at any point the unit can be permanently bricked, so you must assume that risk before attempting anything.

Q: Will Amazon ban or blacklist my device/account for modifying the firmware?

There are no widespread public reports of Amazon banning accounts solely for modifying Echo firmware; most public instances of “blacklisted” devices involve lost/stolen units or account/registration problems. That said, Amazon’s terms allow them to change, suspend, or discontinue Alexa services and they can block or restrict devices/accounts, so while outright bans for firmware tinkering appear uncommon, you shouldn’t assume zero risk.

Q: How is this even possible?

It’s all black magic... Just kidding, you can check out the actual code and see how it works here: https://github.com/R0rt1z2/amonet/tree/mt8163-cronos

Last edited: Dec 21, 2025

This works, Exactly what i needed, literally came out while i was trying to jailbreak it.

@Rortiz2 Thank you so much for your amazing work. You’re a wizard.

Can I just confirming I’m interpreting your instructions correctly

“any version newer than 6.5.7.0 is supported”

Does this mean I’m safe if I just update to the latest firmware currently available? We’re not looking for a very specific version?

The reason I ask is that instructions in the Gen1 threads specifically say we should upgrade to the latest firmware version. However it’s not the same stated here.

@Rortiz2 Thank you so much for your amazing work. You’re a wizard.
Can I just confirming I’m interpreting your instructions correctly
“any version newer than 6.5.7.0 is supported”
Does this mean I’m safe if I just update to the latest firmware currently available? We’re not looking for a very specific version?
The reason I ask is that instructions in the Gen1 threads specifically say we should upgrade to the latest firmware version. However it’s not the same stated here.

That’s correct. You can update to whatever the latest version is.

I am pretty sure I know the answer, but asking anyway: For those with an Echo Show 5 - 3rd gen (2023), does that mean they are out of luck?

I am pretty sure I know the answer, but asking anyway: For those with an Echo Show 5 - 3rd gen (2023), does that mean they are out of luck?

Correct. Unfortunately the SoC used by that device is not vulnerable to the exploit we’ve been using so far.

Read this whole guide before starting.
THIS IS
ONLY for the 2nd gen Echo Show 5 (cronos) released in 2021 (C76N8S)!
For the 1st Gen Echo Show 5 (checkers), FOLLOW THIS THREAD INSTEAD.
This process carries a significant risk of permanently bricking your device if anything goes wrong. Proceed entirely at your own risk.

Neither I nor any contributors will be held responsible for any damage or malfunction resulting from following these instructions.
BEFORE ASKING WHETHER IT CAN BE PORTED TO ANOTHER ECHO DEVICE, READ THE Q&A SECTION TO UNDERSTAND WHY THIS METHOD ONLY WORKS ON THIS MODEL.
CURRENT RELEASE:
amonet-cronos-v1.0.0.zip
NOTE: To update to the current release if you are already unlocked, just flash the ZIP in TWRP.
Requirements:

A Windows or Linux-based computer

A MicroUSB cable to connect the echo to the computer

Instructions:

Check your current firmware version. Only FireOS 6.5.5.0, FireOS 6.5.7.0, or any version newer than 6.5.7.0 is supported.
(versions newer than 6.5.5.0 but older than 6.5.7.0 are not supported)

If you wish to use the stock OS after the unlock, you MUST be registered onto your Amazon account, otherwise the OOBE will crash and you won't be able to complete the setup process. This means you'll be unable to use the stock Fire OS without restoring from a backup made before the unlock.

Download the latest amonet package from the attachments section of this post.

If you are using Windows, install the Kindle Fire Driver (or, if that doesn't work, install Google’s USB driver for ADB & Fastboot). Detailed installation steps will not be covered here, search online for guidance.

Extract the ZIP file and open the resulting folder. If you are using Linux, open a terminal window within the extracted directory.

If you are using Windows, double-click the fastbrick.bat script. If you are using Linux, run ./fastbrick.sh in the terminal.

Connect the device to the AC charger and hold all three buttons simultaneously until => FASTBOOT mode... appears on the screen.

Once in Fastboot mode, connect the device to the computer using a MicroUSB cable. Script should automatically detect the device.

When prompted, type "YES". Follow all on-screen instructions on both the computer and the device while the exploit executes.

DO NOT INTERRUPT THE PROCESS AFTER THE 10‑SECOND GRACE PERIOD, ANY INTERRUPTION WILL PERMANENTLY BRICK THE DEVICE.

Wait up to five minutes for the exploit to complete. The device will reboot into TWRP.

Once you're in TWRP, if you EVER want to go back to the STOCK Fire OS, you WILL need a backup. This is critical because the OOBE (initial setup) will crash after unlocking, making it impossible to set up a fresh Fire OS installation.
Run backup.bat if you're on Windows, or backup.sh if you're on Linux to create this backup. Store it in a safe location, this is your only way back to stock Fire OS.

Going back to FireOS:
As of now, there's no easy way to go back to Fire OS. While you can flash the stock firmware update package through TWRP and it will boot, you won't be able to get past the OOBE (initial setup) because it will crash.
This is why making a backup before proceeding is critical. This section assumes you've previously made a backup using the backup scripts when you first entered TWRP.
Extract the amonet zip if you haven't already and then, inside, run restore.bat if you're on Windows or restore.sh if you're on Linux.

The script will ask you to enter the path where your backup is stored. Provide the full path to the backup folder (the one containing data.ab, system.ab, and boot.ab), press enter, and it will restore your stock Fire OS.
If you can't get the script to work, you can always restore manually with ADB:
adb restore data.ab
adb restore system.ab
adb restore boot.ab
(make sure your device is in TWRP with the screen on and in the main menu before running these commands.)
IMPORTANT NOTES:
Although bricking the device after unlocking is uncommon, most units lack BROM USBDL access, so a brick can therefore be permanent and unrecoverable.
NEVER EVER modify the BOOTLOADER or any CRITICAL PARTITIONS (e.g., LK, Preloader, TZ). Doing so can PERMANENTLY BRICK your device, with NO POSSIBILITY OF RECOVERY.
Only flash stock firmware updates via TWRP, as it ensures that critical partitions are not modified or overwritten. Firmware packages are ZIP files, so simply renaming them from .bin to .zip should work without issues.
Part of the exploit resides in the first block of your recovery and boot partitions, so avoid flashing them directly from the OS using dd or any other root tools, as this can soft-brick your device.
Always use hacked fastboot mode or TWRP to flash or update boot images.
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically. If neither TWRP nor a hacked fastboot is available, boot into stock (non‑hacked) fastboot mode and run the exploit again (Option 1).
The exploit remaps the volume buttons to switch between boot modes, so with it installed you can use them to select different boot options:

HACKED FASTBOOT mode: Access this mode by holding ONLY the Mute (Power) key after connecting the power source.

TWRP / RECOVERY mode: Enter this mode by holding ONLY the Volume Up key after connecting the power source.

Regular (stock) FASTBOOT mode: Enter this mode as usual by pressing all three keys simultaneously after connecting the power source.

Alternatively, you can use the scripts boot-recovery.sh and boot-fastboot.sh included in the ZIP. After connecting the device to your PC, these scripts should also force the device into FASTBOOT MODE or TWRP/RECOVERY mode.
For developers, UART access is available through the TP55 pad (RX), as illustrated in the attached pictures. By default, kernel logs are not displayed to UART since this is disabled by LK.
However, with the exploit installed, you can forcefully enable them by flashing a custom MISC image. You can generate (and flash) this image using the following command(s):
dd if=/dev/zero of=misc-uart.bin bs=1 count=32
echo -ne "UART_PLEASE" | dd of=misc-uart.bin bs=1 seek=16 conv=notrunc
fastboot flash MISC misc-uart.bin
Contributors:
@Rortiz2
@k4y0z
@FieryFlames
@bengris32
@TheVancedGamer
Additional thanks to:
@xyz` - for making all this possible and releasing the original amonet exploit for karnak.
AntiEngineer - for helping me set up the development board on my unit, start the work, find the correct pins, and get UART working
alextrack2013 - for patching the Windows fastboot binaries and making the process work there!
@gilderchuck - for assisting with testing!
Source code:

https://github.com/R0rt1z2/amonet/tree/mt8163-cronos

https://github.com/amazon-oss/android_bootable_recovery

https://github.com/R0rt1z2/twrp_device_amazon_cronos

Is it normal that the 3 backup files show 0kb?

Is it normal that the 3 backup files show 0kb?

Not normal. Is the screen unlocked and the device in the main TWRP screen?

Not normal. Is the screen unlocked and the device in the main TWRP screen?

yes. tried lik 4 times

Try to manually create the backup with

adb backup -f data.ab --twrp data
adb backup -f system.ab --twrp system
adb backup -f boot.ab --twrp boot

Try to manually create the backup with

adb backup -f data.ab --twrp data
adb backup -f system.ab --twrp system
adb backup -f boot.ab --twrp boot

I already boot up, thinking it was normal

Does anyone have a successful backup from latest software ?
Pls share so I can have for keeps, incase?

I already boot up, thinking it was normal

As long as you're still on FireOS, you can always reboot to TWRP and take the backup. If you're on LineageOS, then, yeah, that's gonna be a problem.

As long as you're still on FireOS, you can always reboot to TWRP and take the backup. If you're on LineageOS, then, yeah, that's gonna be a problem.

I'm on lineage already

As long as you're still on FireOS, you can always reboot to TWRP and take the backup. If you're on LineageOS, then, yeah, that's gonna be a problem.

I can use someone else's backup file

I can use someone else's backup file

No, you can't, since the backup is tied to an Amazon account.

Anyway, for you, or anyone else who didn't manage to create a backup and already got rid of Fire OS, I've added to the OP a "Fully going back to Fire OS" section that basically guides you to restore the original firmware and relock the bootloader. Then you can log in to your Amazon account, and then unlock again and make a backup.

This is a risky procedure and you need to make sure to follow what the script tells you. I've tested it with my unit beforehand and it worked fine so far, but as usual, any damage caused to your device is solely your responsibility.