FORUMS
Remove All Ads from XDA

Kill the kill switch - "ST - yy"

407 posts
Thanks Meter: 834
 
By Bogdacutu, Senior Member on 15th August 2015, 07:43 PM
Post Reply Email Thread
< include generic disclaimer here >

TL;DR

Since update 3.1, Nvidia can force updates (such as the one that bricks your tablet) to be downloaded and installed silently. No guarantees, but:
  • If you're on stock, delete TegraOTA (/system/app/TegraOTA or /system/priv-app/TegraOTA if you're on 5.0 or newer, or /system/app/TegraOTA.apk if you're still on 4.4) before booting into Android (the attached ZIP file does this for you, but please check with the file manager in recovery before rebooting and let me know if it didn't work), then reboot
    Note: you also will need to delete TegraOTA again if you ever install an OTA from Nvidia or a recovery image
  • If you're not on stock, you're probably safe
EDIT: The urgent OTA is currently not getting sent out to any devices anymore, not even to those who have been getting it before.
EDIT 2: The urgent OTA is now being delivered again, this time named "ST - yy"!

What if my tablet is already deactivated?

Unless you can still boot into fastboot mode (in which case your tablet isn't really deactivated yet), your tablet is probably gone for good. The only way to fix this would be through nvflash, and using it requires the SBK that is unique to each device and that only Nvidia knows, so it's pretty unlikely that we'll ever be able to fix these deactivated tablets.

What/why/how?

In the last OTA (Update 3.1), Nvidia has made some changes to their TegraOTA application. The most important/interesting/suspicious of which is the ability for them to mark OTAs as "urgent". What this means is that these updates will be downloaded without ever notifying the user, and they will be installed without asking the user for permission first. If this is how the kill switch is delivered, all users will see is the tablet randomly rebooting and installing an update, then the tablet would never boot again. As some of you might notice, this would match what has been happening to a few users already, both here and on reddit.

But that's not all. I've been connecting to the OTA servers using various serial numbers (both found and provided to me by a few people) in hopes of actually finding the update that bricks the device. The first serial number I've tried that wasn't mine was the serial number from the screenshot on the recall page. It revealed an interesting "urgent" OTA, named "SHIELD Tablet xx - LTE", which does nothing but flash a blob (which, among other things, contains the bootloader). Many more questions appear now, but the main one is: if this is nothing but a routine bootloader update, why is it marked urgent? And why is it not attached to any Android update? But this by itself is not enough to prove anything, as I could only obtain it with one serial number, so as far as I could have known, it might had just been an internal update or something similar. (update is linked and analysed in the second post below)

Today, however, one of the serial numbers I've been given by some of the people here (thanks for the help guys!) turned out to have the same update waiting for it the next time it connected to the Internet. This rules out the possibility of an internal update, so the next somewhat obvious possibility is that this is the kill switch. Mind you, I still have no direct way of proving this without flashing the ZIP to see what happens (which I'm not planning to do myself), but I will keep checking on the other serial numbers I've gotten to see if this update turns up for them too.

The same person who has given me this serial number has also tested running the old tablet on the latest stock Android version but with TegraOTA removed, and, as expected, the tablet is still working perfectly fine now. Your mileage may vary.

How can I know if the kill switch has been triggered for my tablet?

Go to http://shield.bogdacutu.me/ and enter the full serial number of your old tablet. If the next OTA returned is "SHIELD Tablet xx" "ST - yy", the kill switch has been triggered for your tablet.
Warning: the serial number from the box of the tablet and the one etched on the side of the tablet are not complete, as they only contain the first 13 characters of the full (20 characters) serial number. You can get the full serial number from Android (Settings -> About -> Status), from the bootloader (it will be on the screen when you boot into bootloader mode), or from your computer if the tablet is or (in some cases) if it was previously connected, using various tools such as USBDeview. Example: 0413714803249000a4cf (you can try this on the page and it will return that the kill switch is activated).

Why would I want to also do the fix on my new tablet too?

The update is signed by Nvidia, and communication with the OTA server does not use HTTPS, so, for example, a malicious WiFi network could MITM your connection and cause this update (as well as any other signed update) to be flashed to your new tablet without your permission, thus permanently disabling it too. If you have the stock recovery, only updates signed by Nvidia can run. The story might be slightly different if your recovery doesn't enforce signature verification (such as TWRP and CWM by default).

Can I still get updates from Nvidia after doing this?

Not directly, but people will post OTA download links here on xda when new updates get released. I'd personally recommend that you wait before flashing though until someone here checks the new update to confirm that there's no new way for Nvidia to kill your tablet.


Many hours of work have gone into investigating this. Even if it doesn't help your specific scenario, consider hitting that Thanks button, so that I can at least know it wasn't for nothing.
I'd also like to thank the people who have given me their serial numbers to use for testing again, this wouldn't have been possible without their help: @Beauenheim, @Jackill, and @runandhide05 (who has even volunteered to test removing TegraOTA with the latest update on his old tablet )
Attached Files
File Type: zip nomoreota.zip - [Click for QR Code] (362.3 KB, 14688 views)
The Following 409 Users Say Thank You to Bogdacutu For This Useful Post: [ View ] Gift Bogdacutu Ad-Free
15th August 2015, 07:44 PM |#2  
Bogdacutu's Avatar
OP Senior Member
Thanks Meter: 834
 
Donate to Me
More
Cloud Search Fragments of code from TegraOTA.apk
< screenshots temporarily removed >

Also, from what I've seen so far, the update isn't delivered instantly after activating the new tablet. I don't know exactly what the rule is, but out of the 4 serial numbers that I have, only 2 have this update waiting for them.

EDIT: One more serial number from the ones I have has gotten the xx update. Only one left...

EDIT 2: All the serial numbers I have have the urgent OTA waiting for them now.
The Following 19 Users Say Thank You to Bogdacutu For This Useful Post: [ View ] Gift Bogdacutu Ad-Free
15th August 2015, 07:44 PM |#3  
Bogdacutu's Avatar
OP Senior Member
Thanks Meter: 834
 
Donate to Me
More
Tutorial "SHIELD Tablet xx" - Update Analysis
OTA URL: http://ota.nvidia.com/ota/data/poste...0624152335.zip
yy OTA URL: http://ota.nvidia.com/ota/data/poste...0819152732.zip (if you don't know what you're doing, DO NOT DOWNLOAD THIS, it's very likely that this will permanently brick your device upon flashing it!!!) - also attached to this post in case this link becomes invalid

updater-script is the first file we check:
Code:
getprop("ro.product.device") == "shieldtablet" || abort("This package is for \"shieldtablet\" devices; this is a \"" + getprop("ro.product.device") + "\".");
nv_copy_blob_file("blob", "/staging");
reboot_now("/dev/block/platform/sdhci-tegra.3/by-name/MSC", "");
Suspiciously enough, this only flashes a blob to the staging partition. But what exactly does this blob do, you might ask? Well, the blob actually contains data for 9 partitions, which are automatically replaced during the next boot (before the bootloader does anything else at all, so once you've rebooted, there's no going back) with the contents present in this blob. The 9 partitions are as follows (also detailing comparison with files from update 3.1):
  • BCT (Boot Configuration Table) - stores some information that is needed for the device to find the bootloader stored on the other partitions, initialize the RAM and some other stuff
    Status after update: probably corrupted - the previous OTAs have binary BCTs, but this update replaces it with a text file (which, while it does contain somewhat relevant information, is likely not a valid format). If this is corrupted, it's enough for the device not to be able to boot anymore.
  • BMP (boot logo) - intact
  • DTB - intact
  • EBT (part of the bootloader) - has a zeroed out region
  • NVC (part of the bootloader) - intact
  • RBL (part of the bootloader) - has a zeroed out region
  • RP4 (landscape boot logo) - intact
  • TOS (Trusted OS - probably part of the bootloader too) - has a zeroed out region
  • WB0 (related to the boot process, source file is named "nvbootwb0.bin") - has a zeroed out region
The update also contains a few other files, but those are not used at all (probably leftovers from the 5.1 AOSP update template that they are using).

DO NOT DOWNLOAD THE ATTACHMENT IF YOU DON'T KNOW WHAT YOU'RE DOING. THIS IS THE XX OTA, NOT THE ZIP THAT REMOVES TEGRAOTA!
The Following 18 Users Say Thank You to Bogdacutu For This Useful Post: [ View ] Gift Bogdacutu Ad-Free
15th August 2015, 07:51 PM |#4  
Member
Thanks Meter: 4
 
More
Just as I suspected!!
15th August 2015, 07:55 PM |#5  
Member
Thanks Meter: 0
 
More
Thanks a lot this is great. So the silent updater can force updating even with a custom recovery like cwm?

How to install the provided zip?

Thanks again.
15th August 2015, 07:56 PM |#6  
Bogdacutu's Avatar
OP Senior Member
Thanks Meter: 834
 
Donate to Me
More
Quote:
Originally Posted by tecnoworld

Thanks a lot this is great. So the silent updater can force updating even with a custom recovery like cwm?

How to install the provided zip?

Thanks again.

CWM and TWRP are both compatible with OTAs, so yes, it can. If you completely erase the recovery (fastboot erase recovery), the update can't get flashed, but the tablet will still reboot (which is at least annoying).

You can flash the provided ZIP through CWM or TWRP (but please check through the file manager if /system/app/TegraOTA still exists after installing it, the ZIP hasn't gone through a lot of testing so it might not work properly in all cases)
The Following 2 Users Say Thank You to Bogdacutu For This Useful Post: [ View ] Gift Bogdacutu Ad-Free
15th August 2015, 07:57 PM |#7  
Senior Member
Flag Las Cruces, NM
Thanks Meter: 146
 
More
Quote:
Originally Posted by tecnoworld

Thanks a lot this is great. So the silent updater can force updating even with a custom recovery like cwm?

How to install the provided zip?

Thanks again.

This was to be my question too... Normal ota updates will not flash if you have a custom recovery, so how would this silent ota update?
15th August 2015, 07:58 PM |#8  
Bogdacutu's Avatar
OP Senior Member
Thanks Meter: 834
 
Donate to Me
More
Quote:
Originally Posted by bluegizmo83

This was to be my question too... Normal ota updates will not flash if you have a custom recovery, so how would this silent ota update?

Normal OTAs don't work through custom recoveries because they do various checks that usually fail when you have a custom recovery (such as if the system partition is modified, by rooting for example), this urgent OTA has none of those checks
The Following 4 Users Say Thank You to Bogdacutu For This Useful Post: [ View ] Gift Bogdacutu Ad-Free
15th August 2015, 08:00 PM |#9  
Senior Member
Flag Las Cruces, NM
Thanks Meter: 146
 
More
Quote:
Originally Posted by Bogdacutu

Normal OTAs don't work through custom recoveries because they do various checks that usually fail when you have a custom recovery (such as if the system partition is modified, by rooting for example), this urgent OTA has none of those checks

Oh ok! Great explaination. Thanks for all your hard work on this! I'm flashing the zip now, i'll report back if it removes the file

Edit: Ok I flashed the zip, and TegraOTA is gone. Now I will finally turn on my new tablet and set it up!
15th August 2015, 08:04 PM |#10  
fkofilee's Avatar
Senior Member
Flag Crawley
Thanks Meter: 379
 
Donate to Me
More
So out of interest, what do you think the chances are that thisll work?
How did you find out if the update is waiting? FYI I flashed the ZIP... All is good and it booted fine on LTE 32Gb...

Plus the deleting of the TegraOTA File has gone through... So you really think the TegraOTA removal has stopped it?
How do i check if i have downloaded randomly that update?
15th August 2015, 08:04 PM |#11  
Junior Member
Thanks Meter: 1
 
More
Great post. Hopefully that's as far as Nvidia is going to go. I flashed a custom rom on my old tablet. I'm keeping my new one stock but deleting the system app per your post. Just in case Nvidia is spiteful when I don't return the old tablet. I don't want to leave them any option of nuking the new one.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes