How can I root a stb, running Android 6.0.1 with no access to bootloader.
I have access to recovery, but it accepts only vendor encrypted/signed update files.
Adb via usb is not available, but can connect using wifi/lan when OS has booted.
Have already tried most one-click apps.
Any crazy idea/help/suggestion is appreciated.
People interested in details, can read the long story below.
The Amazon Prime app on the settop box lags a lot many a times while Netflix and Youtube work perfectly fine. So, I thought of diagnosing the problem using adb logact and found every few seconds, few frames are getting skipped. To analyze the problem further, isolate bandwidth/resources problems vs app problem, wanted to root the device.
This is the first time, I am trying to root a device for which no existing solution is available. I have been trying to root for two weeks now, but no luck. . While the Amazon prime was the reason for this voyage, rooting will open new avenues.
About the device:
⦁ Sold by Airtel India under brand name Internet TV (Not IPTV)
⦁ Manufactured by LG Electronics. Model: SH960S-AT
⦁ LG has published the opensource components used here.
⦁ More details about the hardware here.
⦁ Android Lollypop, upgraded to Marshmallow 6.0.1
⦁ With March 2018 Android Security Update
Here is what all I have tried so far:
⦁ Device does not detect when connected using USB Male to Male cable. So, no ADB USB.
⦁ However, I can connect ADB using Wifi. (adb connect IP).
⦁ To be sure of the IP, I have configured my Router DHCP to assign a specific IP to the MAC
⦁ I found in default.prop persist.sys.usb.config=none. My assumption, airtel has disabled adb via USB connection.
⦁ If I do a adb reboot bootloader, system restarts but gets stuck on the vendor logo.
⦁ In that state, I have tried many possible key combinations (power button on the box, several other buttons on the remote and usb keyboard), but it stays stuck there, until you pull the plug.
⦁ I have also tried many button combinations in power off state, no luck.
⦁ USB is still not recognized in this state, so no adb or fastboot.
⦁ Doing adb reboot recovery restarts the system into the stock android recovery.
⦁ The same screen can be reached by following steps:
⦁ Unplug the box
⦁ Keep the power button pressed, plug in the device.
⦁ After the android logo comes, press Home from keyboard.
⦁ The following options are available:
⦁ Reboot to Bootloader: Same as above, gets stuck on vendor logo.
⦁ Apply update from Adb: Since usb connection/adb is not available, it just waits for a connection and times out. Adb using wifi/lan does not work. I assume, their drivers are not initialized in recovery.
⦁ Apply update from SD Card: I have copied the usual (su binary update.zip) to root of sd card. But it does not mount SD card properly. I have tried SD cards of different sizes, formats etc., no luck.
⦁ Apply update from USB: It was not recognized initially, but after going through recovery logs and trying several formats for the card, now it recognizes the card. I can select the zip file, but it shows Failed to map file. I assume it is not finding a vendor specific signature/encryption
One-click apps and other exploits
⦁ Have tried all the popular one-click apps, Kingroot, Framaroot, etc., no luck.
⦁ Have tried dirtycow exploit. But since the security update is March 2018, none of the known exploits work.
⦁ I am yet to find any POC for fixes in April 2018 or later android security updates.
⦁ One system app called OtaDownloaderApp.apk is probably used by the vendor to push OTA updates.
⦁ Pulled the apk and disassembled it to find the url of the update file.
⦁ Downloaded it to understand the structure and explore any other possibility.
⦁ It does not seem like a normal .zip file and might be encrypted.
⦁ I tried the above file as Apply Update from USB from Recovery, it installed the updates
⦁ Now, could there be a way to decrypt/modify the update file to include su?
To add: Since the device is yet to be rooted, no way to extract the boot.img and patching.
Let me know if you need more clarification in any points I have mentioned.
* For some reason, I am not able to embed images in the post. You can view them here.