|
|
@@ -0,0 +1,133 @@ |
|
|
## Rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown |
|
|
|
|
|
### Table of contents |
|
|
- Prerequisites |
|
|
- Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen |
|
|
- Step 2: Extract boot image from the OTA archive |
|
|
- Step 3: Update the system with downloaded OTA archive |
|
|
- Step 4: Patch boot image with Magisk |
|
|
- Step 5: Unlock bootloader with `fastboot` |
|
|
- Step 6: Reboot to system and complete setup |
|
|
- Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...) |
|
|
- Step 8: Disable AVB (Android Verified Boot) and install the patched boot image |
|
|
|
|
|
### Prerequisites |
|
|
- (Recommanded) Basic knowledge to command line utilities like `cd` and `ls` |
|
|
- `adb` and `fastboot` available on your computer (download it [here](https://developer.android.com/tools/releases/platform-tools)) |
|
|
- [Android OTA payload extractor](https://github.com/tobyxdd/android-ota-payload-extractor) (download the executable archive in the `Release` section and extract it using `tar` or File Explorer depending on your OS) |
|
|
- An USB-A male to male cable for connecting the Mi Box and your computer (can be easily be made with two charging cables by soldering/twisting the wires inside with same color together) |
|
|
- A USB keyboard |
|
|
- Developer option activited and `OEM unlocking` is switched on |
|
|
- USB debugging enabled |
|
|
- Magisk Manager and a file picker UI (e.g [FX File Explorer](https://play.google.com/store/apps/details?id=nextapp.fx&hl=en_US)) installed |
|
|
- Backup all data in the Mi Box as factory reset will be proceed later |
|
|
|
|
|
### Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen |
|
|
We need to get the boot image of the device for rooting, this can be done by extracting the boot image from OTA update archive. |
|
|
|
|
|
Download the latest OTA zip for Xiaomi TV Box S 2nd Gen from [4pda.to](https://4pda.to/forum/index.php?showtopic=1068290) (Google Translate might necessary), locate the `Firmware` section and download the latest OTA there. |
|
|
|
|
|
### Step 2: Extract boot image from the OTA archive |
|
|
- Extract `payload.bin` from the archive using File Explorer or `unzip` command |
|
|
- Extract all partition images from `payload.bin`: |
|
|
```shell |
|
|
/path/to/android-ota-extractor payload.bin |
|
|
``` |
|
|
|
|
|
- (Optional) delete all images except `boot.img` and `vbmeta.img` as we don't need them. |
|
|
|
|
|
### Step 3: Update the system with downloaded OTA archive |
|
|
|
|
|
In order to make sure the boot image extracted above matches the system, updating the Mi Box with the downloaded OTA archive first is recommanded. |
|
|
|
|
|
- Reboot to recovery with `adb`: |
|
|
```shell |
|
|
/path/to/adb reboot recovery |
|
|
``` |
|
|
|
|
|
- Use a USB keyboard to select `Apply update from ADB` with arrow keys |
|
|
- Reconnect with the USB-A male to male cable |
|
|
- Apply the OTA with `adb`: |
|
|
```shell |
|
|
/path/to/adb sideload <REPLACE ME WITHTHE PATH TO THE OTA ZIP> |
|
|
``` |
|
|
- Reboot to Google TV after update completed |
|
|
|
|
|
### Step 4: Patch boot image with Magisk |
|
|
|
|
|
- Send the extracted boot image to the Mi Box with `adb`: |
|
|
``` |
|
|
/path/to/adb push boot.img /sdcard/boot.img |
|
|
``` |
|
|
|
|
|
- The boot image should be available in `Internal Storage/boot.img` now |
|
|
- Open Magisk, click `Install` and select the boot image |
|
|
|
|
|
> [!NOTE] |
|
|
> If the file picker does not show up, install a file manager with file picker UI first (e.g [FX File Explorer](https://play.google.com/store/apps/details?id=nextapp.fx&hl=en_US)) |
|
|
|
|
|
- The patched boot image should be available in `/sdcard/Download` (the path will be shown in the Magisk app if patched successfully) |
|
|
|
|
|
- Use `adb` to upload the patched image back to computer: |
|
|
```shell |
|
|
/path/to/adb pull <PATH SHOWN IN MAGISK> patch-boot.img |
|
|
``` |
|
|
|
|
|
- Now a new file called `patch-boot.img` should be appeared in the current directory |
|
|
|
|
|
### Step 5: Unlock bootloader with `fastboot` |
|
|
|
|
|
- Reboot to `fastboot` mode: |
|
|
```shell |
|
|
/path/to/adb reboot bootloader |
|
|
``` |
|
|
|
|
|
- Unlock the bootloader with the following command: |
|
|
```shell |
|
|
/path/to/fastboot flashing unlock |
|
|
/path/to/fastboot flashing unlock_critical |
|
|
``` |
|
|
|
|
|
> [!CAUTION] |
|
|
> Using `fastboot` incorrectly might result in unrecoverable damage to your box (i.e. bricked). Proceed with caution! |
|
|
|
|
|
> [!IMPORTANT] |
|
|
> Unlocking the bootloader will trigger factory reset after reboot, so please remember to backup your data first! |
|
|
|
|
|
> [!NOTE] |
|
|
> Run the following to check if the bootloader is unlocked successfully (look for `unlocked` in output): |
|
|
> ```shell |
|
|
> /path/to/fastboot getvar all |
|
|
> ``` |
|
|
|
|
|
### Step 6: Reboot to system and complete setup |
|
|
### Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...) |
|
|
### Step 8: Disable AVB (Android Verified Boot) and install the patched boot image |
|
|
|
|
|
> [!TIP] |
|
|
> AVB (Android Verified Boot) is a security feature introduced in Android 8, which prevents the system booting with modified boot image. |
|
|
> |
|
|
> Disabling AVB is required in order to boot the patched boot image above. |
|
|
|
|
|
- Reboot to `fastboot` mode: |
|
|
```shell |
|
|
/path/to/adb reboot bootloader |
|
|
``` |
|
|
|
|
|
- Flash the `vbmeta` image with verification option disabled: |
|
|
```shell |
|
|
/path/to/fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img |
|
|
``` |
|
|
|
|
|
- Flash the patched boot image: |
|
|
```shell |
|
|
/path/to/fastboot flash boot patched-boot.img |
|
|
``` |
|
|
|
|
|
- Reboot to system: |
|
|
```shell |
|
|
/path/to/fastboot reboot |
|
|
``` |
|
|
|
|
|
### All done |
|
|
- Feel free to provide suggestions on this tutorial to make it more noob friendly :) |
supechicken revised this gist