BOOTMOD - Root your Shield In 1 minute (2015, 2017, & 2019)

Search This thread

Zer0_rulz

Senior Member
Dec 22, 2014
86
21
I installed link2sd to get a better view, maybe one of these apk's that ai upscaling are bundled on it something like that
 

Attachments

  • 20221216_191422.jpg
    20221216_191422.jpg
    7.5 MB · Views: 43
  • 20221216_191410.jpg
    20221216_191410.jpg
    7.6 MB · Views: 45
  • 20221216_191356.jpg
    20221216_191356.jpg
    7.3 MB · Views: 32
  • 20221216_191346.jpg
    20221216_191346.jpg
    6.9 MB · Views: 52

pinvok3

Member
Sep 15, 2017
8
12
Thanks for the tremendous work!

I do have the same issue (v8.2.3). I can enable AI upscaling, but it always reverts back to 'Enhanced' as the media is unsupported. If I play 4k media it correctly says that it doesn't need to upscale. 1080p is always unsupported. At least no unlocked bootloader error anymore. :)

This happens on Kodi, NextTube and Netflix. I remember vividly that the upscaling worked on Netflix and NextTube before the rooting. I've followed the guide completely, also reset Google Play Services and all that.

Could it be, because I have no Google Account linked, and they need one for fancy data collection?

Before the fix, even Enhanced wasn't available so I'm happy already. The progress being made is really great.

If I can help with something, I'll happily support. I'm a software engineer but never have worked on Android related stuff. So I need at least some pointers where to look. :)

/Edit: I have recently changed from TV to a projector. So I can't guarantee that it's not a display configuration issue. But it's a 4k/HDR10 projector. So it should act like a normal 4k TV.
 
Last edited:

jenneh

Senior Member
1. I might have misread what Nooted said, and assumed they got the upscaler working when maybe they were only referring to the root on stock part and being able to run apps not normally allowed on root.

2. That being said I did a test today to try to determine if using magiskhide settings with safetynet could Actually Even fix our issue and according to what I tried it cannot.

Here's what I did: I enabled magiskhide on literally everything on the machine, reboot.

Go into settings and I signed out of my google account, force stopped every single app installed and system app, cleared all data of everything, disabled every app that would allow it, uninstalled every update for the apps that would allow, and rebooted. Tried with and without google login and same problem.

3. I have corrected the title of this thread until an upscaler method can be fully found.

4. How I plan to proceed tomorrow:

I want to go through and start uninstalling apks, partition by partition, to see what happens. What does it break? Can we even delete some of these apps without some sort of weird crypto back-end break, etc? Could it be possible to find the app containing the Upscaler by means of elimination? IE keep deleting things until the upscaler option disapears or goes grey all together? Going to start in /vendor... there's some interesting apks in there.

If we can find the apk maybe we can pull it and do things with it

edit --I just thought about it but I forgot to try to lock the bootloader after all that and try again. I will try tomorrow
 
Last edited:
  • Like
Reactions: louforgiveno

Zer0_rulz

Senior Member
Dec 22, 2014
86
21
1. I might have misread what Nooted said, and assumed they got the upscaler working when maybe they were only referring to the root on stock part and being able to run apps not normally allowed on root.

2. That being said I did a test today to try to determine if using magiskhide settings with safetynet could Actually Even fix our issue and according to what I tried it cannot.

Here's what I did: I enabled magiskhide on literally everything on the machine, reboot.

Go into settings and I signed out of my google account, force stopped every single app installed and system app, cleared all data of everything, disabled every app that would allow it, uninstalled every update for the apps that would allow, and rebooted. Tried with and without google login and same problem.

3. I have corrected the title of this thread until an upscaler method can be fully found.

4. How I plan to proceed tomorrow:

I want to go through and start uninstalling apks, partition by partition, to see what happens. What does it break? Can we even delete some of these apps without some sort of weird crypto back-end break, etc? Could it be possible to find the app containing the Upscaler by means of elimination? IE keep deleting things until the upscaler option disapears or goes grey all together? Going to start in /vendor... there's some interesting apks in there.

If we can find the apk maybe we can pull it and do things with it

edit --I just thought about it but I forgot to try to lock the bootloader after all that and try again. I will try tomorrow
I think freezing an apk will work, link2sd or sd maid can do it
 
  • Like
Reactions: jenneh

jenneh

Senior Member
I want to try to freeze these apk's to find the ai upscaler, but my question is, is it fine to install twrp on 9.1.1?, so i could have a backup incase of bootloops
You can def run TWRP, now backing up may be a different story when you go to restore. I was never actually successful with a restore, always bootlooped. Then again I never tried stock and that was a year ago so who knows. If it works for you please let me know.

Just to rule it out, I tried relocking the bootloader today with all the steps applied and the shield did not like that. It refused to boot entirely so I am going to play magic eraser today and I look forward to your results playing Mr Freeze and we will see what happens! I always like it when something can be turned off instead of removed or at least have that option available, :0
 
Last edited:
  • Like
Reactions: louforgiveno

pinvok3

Member
Sep 15, 2017
8
12
Maybe I can propose a different way?

You can configure the upscaling through the Android system settings, they are therefore also available with `adb shell settings list system`.

I guess these are the settings the upscaler uses.
Code:
nv_upscale_detail=3
nv_upscale_filter=auto

The 3 is AI Enhancement.

I would dump all system apks, decompile them and search for "nv_upscale" strings.

I wrote a little script that can dump all system apks. Requires nodejs.
JavaScript:
'use strict';

const exec = require('child_process').exec;
const fs = require('fs/promises');

async function getAppPath(appName) {
    return new Promise((resolve, reject) => {
        exec(`adb shell pm path ${appName}`, (stdout, stderr) => {
            resolve(stderr.replace('package:', '').trim());
        })
    })
}

async function dumpSystemAppNames() {
    return new Promise((resolve, reject) => {
        exec(`adb shell pm  list packages -s`, (stdout, stderr) => {
            resolve(stderr.split('\n').map(x => x.replace('package:', '')));
        })
    })
}

async function getSystemAPKPaths() {
    const systemApps = await dumpSystemAppNames();
    const apkPaths = [];

    for (let app of systemApps) {
        console.log("Getting Path for: ", app);
        const apkPath = await getAppPath(app);
        apkPaths.push({apk: app, path: apkPath});
    }

    return apkPaths;
}

async function pullAPK(path, location) {
    return new Promise((resolve, reject) => {
        exec(`adb pull "${path}" "${location}"`, (stdout, stderr) => {
            resolve(stdout + "\n" + stderr);
        })
    })
}

async function pullAPKs(apkInfo) {
    const dumpFolder = `${process.cwd()}/system_apks`;
 
    try {
        await fs.access(dumpFolder);
    } catch (ex) {
        await fs.mkdir(dumpFolder);
    }

    for (const apk of apkInfo) {
        await pullAPK(apk.path, dumpFolder);
    }
}

async function main() {
    const paths = await getSystemAPKPaths();
    await pullAPKs(paths);
}

main();

I guess we can extend this script and add JADX. Go through all decompiled apks and look out for the config strings.
This way we will find all apps that are using the configuration and can be sure we are not missing a few.

/edit:

Okay, I did just that. This string seems to be used by TvSettings very often. It seems to controlling a certain service/library and is also responsible for checking the upscaling status. "Unlocked bootloader" is displayed by that app. I would suggest to concentrate on that App for now, especially the HWCService/INVDisplay and Upscale related files.

A cold guess into the dark:
Magisk Hide currently doesn't hide behind that specific display service/module and only behind the apps. The module blocks the upscaling because it still sees the root, but the apps think everything is fine.

Or we lost some kind of DRM keys during the boot unlocking phase.

There seems to be communication between the hardware layer and the app. Primarily the interface [email protected]::INvDisplay could be interesting. This is where the upscale fail reason gets pulled from and should be responsible for activating the upscaling. I hope that the boot unlock isn't somehow reversibly burned into the hardware.
 
Last edited:

jenneh

Senior Member
@pinvok3 Gosh WOW just wow! Thank You for your Amazing Share!! I will absolutely follow your advice and I will get that app pulled now to poke around.

Are you rolling 8.2.3 or one of the 9's btw??

Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
 

pinvok3

Member
Sep 15, 2017
8
12
I'm using 8.2.3. The newer 9 versions seem kind of sluggish. But the script should work on 9 regardless.

Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this. :D

Jtag is usually lower level stuff and I'm pretty sure it's undocumented. If it exists even.
I just remember, that on a previous phone (Sony Xperia) the drm keys were wiped once you unlock the bootloader, resulting in worse Camera image quality.

Considering that the upscale works correctly after unroot/relocking, I guess this would only be a soft lock. But still could be registered in the hardware somewhere, where we have no access to. Maybe it's still patchable though.
 

jenneh

Senior Member
Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this. :D
Thank You for even taking the time!! Your thirty minutes taught me more than a whole year, so I hope you get paid well doing whatever you do at your day job xD You're a legend in my book

I got the apk pulled for anyone who might want to look at it.

This is the 8.2.3 version

Here's Jadx

Here's a beginner friendly video using jadx and android studio to decompile apks

1671381203988.png
 
Last edited:

louforgiveno

Senior Member
Jun 24, 2010
3,886
2,474
Thank You for even taking the time!! Your thirty minutes taught me more than a whole year, so I hope you get paid well doing whatever you do at your day job xD You're a legend in my book

I got the apk pulled for anyone who might want to look at it.

This is the 8.2.3 version

Here's Jadx

Here's a beginner friendly video using jadx and android studio to decompile apks

View attachment 5787803
Ok, so it appears confirmed that it's the Unlocked Bootloader that keeps ai upscaling from working.(Deepisp)...next see if i can "interfere" with the reporting of unlocked....
But first.....back to the world cup final!
Screenshot_20221218-091507_APK Editor Pro.jpg
 

pinvok3

Member
Sep 15, 2017
8
12
Okay, I'm grasping straws right now, but my shield just crashed after I have started a movie with Dolby Vision enabled. Can someone confirm if Dolby Vision is grayed out (unavailable) on rooted devices but available on nonrooted ones? After this fix I was able to enable Dolby Vision but my system just died with this log:

12-20 23:12:18.951 3725 3839 E WindowManager: Exception checking for game stream. Exception: android.content.pm.PackageManager$NameNotFoundException: ComponentInfo{com.android.tv.settings/.MainSettings}
12-20 23:12:18.951 3725 3839 I InputDispatcher: Dropped event because of pending overdue app switch.
12-20 23:12:18.953 3725 3864 E AudioService: Audioserver died.
12-20 23:12:18.982 4578 5347 D DolbyAudioService: IMs12 implementation died... Restoring settings after restart
12-20 23:12:18.983 4578 5347 D DolbyAudioService: Attempting to connect to IMs12
12-20 23:12:18.992 4578 12382 I DolbyAudioService: Waiting 1 second before attempting to connect to IMs12...
12-20 23:12:19.037 12385 12385 D audiohalservicemsd: main() Starting [email protected] from vendor/dolby.
12-20 23:12:19.050 12385 12385 D : Calling decrypt_blob. err(0)
12-20 23:12:19.056 3432 3432 E Ipprotectd: decrypt_blob: Error during launch operation. err(0xffff0011)
12-20 23:12:19.056 3432 3432 E Ipprotectd: Error occurred at decryption. err(ffff0011)
12-20 23:12:19.058 12385 12385 E : Decryption failed
12-20 23:12:19.058 12385 12385 E : decrypt_blob failed! err(0)
12-20 23:12:19.058 12385 12385 E : Failed to decrypt.
12-20 23:12:19.058 12385 12385 E : Failed decrypt .text section.
12-20 23:12:19.059 12385 12385 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x4ec98e90 in tid 12385 (android.hardwar), pid 12385 (android.hardwar)
12-20 23:12:19.062 12384 12384 I ServiceManagement: Removing namespace from process name [email protected] to [email protected].

It seems like some encrypted communication fails which takes the whole system with it. It makes me more suspicious that the bootloader unlock removes/hides/blocks some DRM keys required for AI/Dolby Audio to work. If we could somehow hook into the bootloader unlocking phase to see what's happening ..
 

pinvok3

Member
Sep 15, 2017
8
12
Perfect. that's good to know. Thanks!

So your fix seems to enable the option again, but causes a crash in the system upon enabling. I guess the part that decodes Dolby signals and upscales media is denying it's work for some reason or another.

I remember that (At least on my old Xperia) I could backup the DRM keys before unlocking the bootloader and then reapply it after the root by flasing the binary file to some subdevice. Maybe it can be solved the same, but my knowledge is really limited here.
 

louforgiveno

Senior Member
Jun 24, 2010
3,886
2,474
I'm uploading a zip containing the decompiled TvSettings apk in case anyone else wants to look through the .smali files....there's a lot here...kinda like finding a needle in a haystack with my abilities.
I've found a few interesting entries but haven't done any testing yet, just gradually looking through smali files that mention DeepISP and Upscaling/Video to get an idea of where edits can possibly be made.
Here..

 
Last edited:
  • Love
Reactions: jenneh

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Thanks for your reply!


    I don't like all the launcher apps. So, i hope that it is possible to disable the discover tab and/or disable the ads in the future.

    PS:
    I have the 2019 version.
    Hello mate. it is actually possible to downgrade Shield 2019 to OS 8.2.3. I used this guide and it worked flawlessly: https://florisse.nl/shield/

    Obviously huge thanks to the guy who created it as it saves people so much research and trial + error. Basically alot of time saved.

    Using this tweak guide, I've deleted close to everything from google and Nvidia (bloatware + data collecting) on the 2019 Shield TV: https://florisse.nl/shield-tweaks/

    I've removed the Play Store and Google Play Services, ATV Core Services, ATV Remote Service, Backdrop, Basic Daydreams, Chromecast and many other things.

    I don't use Netflix, Amazon Prime Video, Plex etc. So everything was removed from the Shield.

    This is my ADB batch file to uninstall pretty much everything unneeded:

    Code:
    adb shell pm uninstall -k --user 0 com.google.android.speech.pumpkin & adb shell pm uninstall -k --user 0 com.google.android.tts & adb shell pm uninstall -k --user 0 com.google.android.videos & adb shell pm uninstall -k --user 0 com.google.android.tvrecommendations & adb shell pm uninstall -k --user 0 com.google.android.syncadapters.calendar & adb shell pm uninstall -k --user 0 com.google.android.backuptransport & adb shell pm uninstall -k --user 0 com.google.android.partnersetup & adb shell pm uninstall -k --user 0 com.google.android.inputmethod.korean & adb shell pm uninstall -k --user 0 com.google.android.inputmethod.pinyin & adb shell pm uninstall -k --user 0 com.google.android.apps.inputmethod.zhuyin & adb shell pm uninstall -k --user 0 com.google.android.tv & adb shell pm uninstall -k --user 0 com.google.android.tv.frameworkpackagestubs & adb shell pm uninstall -k --user 0 com.google.android.tv.bugreportsender & adb shell pm uninstall -k --user 0 com.google.android.backdrop & adb shell pm uninstall -k --user 0 com.google.android.leanbacklauncher.recommendations & adb shell pm uninstall -k --user 0 com.google.android.feedback & adb shell pm uninstall -k --user 0 com.google.android.leanbacklauncher & adb shell pm uninstall -k --user 0 com.google.android.apps.mediashell & adb shell pm uninstall -k --user 0 com.plexapp.android & adb shell pm uninstall -k --user 0 com.zattoo.player & adb shell pm uninstall -k --user 0 com.nvidia.tegrazone3 & adb shell pm uninstall -k --user 0 com.plexapp.mediaserver.smb & adb shell pm uninstall -k --user 0 com.google.android.play.games & adb shell pm uninstall -k --user 0 com.netflix.ninja & adb shell pm uninstall -k --user 0 com.amazon.amazonvideo.livingroom & adb shell pm uninstall -k --user 0 com.amazon.amazonvideo.livingroom.nvidia & adb shell pm uninstall -k --user 0 com.google.android.youtube.tvmusic & adb shell pm uninstall -k --user 0 com.android.vending & adb shell pm uninstall -k --user 0 com.google.android.gms

    Keep in mind this is an extensive removal of pretty much everything. Payed apps etc. wont work with such cleanup. Most apps however do work- Kodi, Firefox, SmartTube, Speedtest, Fdroid, AdAware, Aurora Store (with private login, if you want to update some apps), Aptoide, Twitch, all sorts of Emulators etc.

    The thing is that Google Play Store automaticall updates itself in the background, even if you disable it (it gets reenabled automatically) and I dont need that. If I want to update something, I will go to Aurora Store or Aptoide and update manually, but I dont want some sheety apps to be doing whatever they want in the background without asking.

    And I didnt install a 3rd party Android Launcher, I use the default one, there are no more ads though after removing like 80% of trash bloatware and adware. The Android TV Home version is 2.1.3-320113730-f and I'm on ShieldOS 8.2.3. No ads to be seen and since even the Nvidia-OTA service was removed, it will never update the Shield by itself or even show a notification that there are updates available- which is exactly how I want it. Everything I need works fine in 8.2.3 and if I ever need an update, I will do it manually.

    Also, while we're at it- it is possible to skip the initial login after factory restore, as seen on the picture attached. Source of it is: https://www.reddit.com/r/ShieldAndroidTV/comments/o8tpkx
    However it is actually not required to downgrade Android TV Home app to version 2.0.10 to remove ads from the home screen. By simply downgrading to ShieldOS 8.2.3 (down from 9.1.1), the ads were removed from the main screen automatically. Then if you do some additional cleanup (like removing ATV Core Services and disabling autoupdate for Apps in Google Play Store), the ads will never show up.
    1
    Wow!

    Amazing news!!

    I will give it a try in the next few days.

    Can't wait to downgrade to 8.2.3!

    Thanks for the info! (-;

    Best regards from germany
    I downgraded my shield 2019 Pro to 8.2.3 today.

    Really easy and absolutely flawlessly! (-:

    Thanks for this magic!!!!

    Best regards!
  • 9
    Hello Friends~!

    We now have a working method to achieve ROOT on STOCK Firmware!

    A script has been made that can boot your shield into the bootloader, erase the old boot, flash the new boot, and install your choice of Magisk apk for you. The script is also able to revert you back to the stock boot image if needed.

    Takes only a minute or two depending if you already have adb installed, fastboot drivers setup, and bootloader unlocked. (The guide will walk you through this if you are new)

    Rooting Your Shield Will Break AI Upscaling and Dolby Vision. You /Cannot/ Lock the bootloader while rooted, you can only Lock the bootloader when you have the stock boot Image installed. This tool simply makes it easier to "Root" and to Revert back to Stock when done, so you can use your AI Enhanced Features again.

    HOW TO ROOT:

    If you are already running the STOCK firmware version you want to ROOT, Skip to step 2.
    You can check your currently installed firmware on the shield by going into Settings, selecting About, then scroll to the bottom.
    9.png

    You will see a section called SHIELD Android TV SW Version, this will show your installed FW

    STEP 1:
    Select a STOCK firmware from this THREAD, and fully install it.

    STEP 2:
    Download the BOOT MOD that correlates to your installed STOCK firmware.
    If you want to build your own "Boot Mod" the instructions are HERE
    Special Thanks to @Manzing for obtaining the 9.1 and 9.1.1 images for us!
    Special thanks to @I_did_it_just_tmrrow for taking the time to download from gameworks, patch with magisk, and install the 2015 version, and verified it works HERE as well as they verified the hashes were the same for the boot.img of the 500gb and 16gb boot.img
    If you want me to add more, let me know.

    STEP 3:
    Make sure you have usb debugging enabled in settings and your shield is ON.
    This adds an additional Minute to setup time 😊😊😊

    Attach a USB-C cable to your shield and plug it into your PC.
    (Use the USB port furthest away from the HDMI Cable)
    7.png

    Go into settings, select device preferences

    8.png


    Select About, then hit the build number 7 times
    9.png


    Back out to device preferences and now select developer options
    10.png


    Then enable USB debugging and Network debugging.
    11.png


    Here's a way to install adb quickly using powershell and chocolatey.

    Open powershell as admin and copy and paste these two lines, one line at a time:
    Code:
    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
    
    choco install adb

    That's it!

    Note the ip address and in a terminal on your computer, connect to this ip address.

    Example: adb connect 192.168.0.10:5555
    12.png

    This will prompt the shield to allow for a connection, say yes.

    STEP 4:
    Run your choice of .bootmod, .deltamodonly, or .magiskmodonly. MORE INFO
    Simple 1 min demo:

    How to use the new .bootmod script:

    After Enabling USB Debugging and Wireless debugging, then adb connecting to your device, run the .bootmod script

    SYSTEM MENU.PNG

    If you did everything correctly, your device should be listed, and you may proceed by pressing 1 and enter.

    If you forgot to adb connect you may now do so with option 3, just type in your Shield's IP address.
    ipadd.PNG


    After you select 1 on the main menu, the script will then reboot your device into the bootloader and will wait for you to press a key so the script can run fastboot devices to verify that your device has posted.

    fastboot.PNG

    Wait to press any key until you see your shield's lights come on and then you hear the window's chime on your computer. (see 0:16 in the video) Then Press 1 if your device is listed like above.
    Run option 2 again, in case the script went too fast or you hit a key too quickly.

    If your device is still not showing, make sure you have unlocked the bootloader and installed the fastboot drivers for your device.

    DOWNLOAD:

    Now open Device Manager and follow the steps below:
    1.png
    2.PNG
    3.PNG
    4.PNG
    5.PNG
    NOTE THAT UNLOCKING YOUR BOOTLOADER WILL ERASE ALL DATA ON THE DEVICE!

    The shield should now be at the bootloader menu, simply select unlock bootloader
    6.PNG

    flash.PNG

    Now you can select which boot mod you would prefer. The script will erase the old boot image, flash the new one, reset, then the script will pause for us.

    6.png

    When your shield has fully rebooted and is on the main menu, you can press any key in the terminal and the script will finish the magisk installation for us by installing the apk to the device.

    apk.PNG

    If you accidentally pressed a button too quickly, you can always access the apk menu to adb install the Magisk apk.

    FULL RUNDOWN OF V2 CHANGES

    Remember that you can always revert back to the Stock Boot Image and Lock your bootloader (again you can only lock it with a Stock boot flashed) to get your AI Upscaler and Dolby Vision working again when you are done with Root.

    STEP 5:
    Now Opening Magisk will trigger this alert:
    MAGISK APKINSTALL.jpg


    Select OK and after the reboot, your Magisk of Choice will be fully installed!

    6.jpg


    You will now have Root and still be able to use apps and features that you shouldn't be able to. Normally with root (or at least on the Dev Rooted Images) we cannot install Disney +, but as you see, we Sure Can Now~! ;-)

    IF YOUR PLAYSTORE IS MISSING APPS, SEE THIS POST. REQUIRES MAGISK DELTA
    SOURCE CODE --- You may repurpose / share this as you see fit.

    DELTAMODONLY.BAT
    Code:
    fastboot erase boot
    fastboot flash boot bootmod2.img
    fastboot reboot

    MAGISKMODONLY.BAT
    Code:
    fastboot erase boot
    fastboot flash boot bootmod1.img
    fastboot reboot

    BOOTMOD.BAT ---- There is unused code, the :UNLOCK code will be removed later, it didn't work how I would have liked in testing and I forgot to remove it. It isn't harming anything right now so will remove it with the next update.
    Code:
    @echo off
    title [BOOTMOD]
    color 0A
    if "%1" neq "" ( goto %1)
    
    :MENU
    cls
    echo BOOTMOD -- Version 2
    echo =========================================
    adb devices
    echo =========================================
    echo 1. Enter Bootloader Menu for Mod Flashing
    echo 2. Enter APK Menu
    echo 3. ADB Connect
    echo 4. Reboot to System
    echo 5. HELP
    echo 6. EXIT BOOTMOD
    echo =========================================
    set /p answer= Please Enter your Selection:
    if %answer%==1 goto BOOTLOADER
    if %answer%==2 goto APK
    if %answer%==3 goto ADB
    if %answer%==4 goto REBOOT
    if %answer%==5 goto HELP
    if %answer%==6 goto EXIT
    :ADB
    cls
    set /p answer= Type in SHIELD IP Address:
    adb connect %answer%
    goto MENU
     
    :APK
    cls
    echo ===========
    echo APK MENU
    echo ===========
    echo 1. Magisk by TopJohnWu
    echo 2. Magisk Delta fork by HuskyDG
    echo 3. Return to Main Menu
    echo ================================
    set /p answer= Please Enter your Selection:
    if %answer%==1 goto MAGISKAPK
    if %answer%==2 goto DELTAAPK
    if %answer%==3 goto MENU
    
    :MAGISKAPK
    adb install magisk.apk
    goto MENU
    
    :DELTAAPK
    adb install delta.apk
    goto MENU
    
    :HELP
    cls
    echo Adb must be installed on the computer and USB debugging must be enabled on the Shield.
    echo You will need the Fastboot USB drivers installed on your PC.
    echo Check the GUIDE on XDA for more help.
    echo LINK: https://forum.xda-developers.com/t/bootmod-root-your-shield-in-1-minute-2015-2017-2019.4524873/
    echo =====================================================================================
    set /p answer=Press 1 to return to Main Menu:
    if %answer%==1 goto MENU
    
    :UNLOCK
    cls
    fastboot oem unlock
    echo ==============================================================
    echo Use your shield to select yes. Then press any key to continue
    echo ==============================================================
    pause
    set /p answer=Press 1 to Enter Flash Menu or 2 to return to Main Menu:
    if %answer%==1 goto FLASH
    if %answer%==2 goto MENU
    
    :BOOTLOADER
    cls
    adb reboot bootloader
    pause
    cls
    echo =====================================================
    fastboot devices
    echo =====================================================
    echo Is your device listed above?
    echo =====================================================
    set /p answer=Press 1 for yes or 2 for no or 3 for Help:
    if %answer%==1 goto FLASH
    if %answer%==2 goto BOOTLOADER
    if %answer%==3 goto HELP
    
    :FLASH
    cls
    echo How would you like to flash your boot today? Do you want to include:
    echo ====================================================================
    echo 1. TopJohnWu's Magisk
    echo 2. HuskyDG's Magisk Delta
    echo 3. Revert Back To Stock Boot Image
    echo 4. Reboot Shield to System
    echo 5. Return to Main Menu
    echo ====================================
    set /p answer=Select a number and press enter:
    if %answer%==1 goto MAGISK
    if %answer%==2 goto DELTA
    if %answer%==3 goto STOCK
    if %answer%==4 goto REBOOT
    if %answer%==5 goto MENU                                                                                 
    
    :MAGISK
    cls
    fastboot erase boot
    fastboot flash boot bootmod1.img
    fastboot reboot
    echo =====================================
    echo Wait for your Shield to fully Reboot.
    echo =====================================
    pause
    adb install magisk.apk
    goto MENU
    
    :DELTA
    cls
    fastboot erase boot
    fastboot flash boot bootmod2.img
    fastboot reboot
    echo =====================================
    echo Wait for your Shield to fully Reboot.
    echo =====================================
    pause
    adb install delta.apk
    goto MENU
    
    :STOCK
    cls
    fastboot erase boot
    fastboot flash boot boot.img
    echo ================================================================================
    echo REMEMBER TO LOCK YOUR BOOTLOADER FOR AI UPSCALING AND DOLBY VISION FUNCTIONALITY
    echo ================================================================================
    echo 1. Reboot Shield to the System
    echo 2. Return to Main Menu
    echo =========================
    set /p answer=Enter your selection:
    if %answer%==1 goto REBOOT
    if %answer%==2 goto MENU
    
    :REBOOT
    fastboot reboot
    goto MENU
    
    :EXIT
    exit /b
    Here are the sources for the Magisk apk's and their respective projects, used in making the boot mods.

    Topjohnwu's Magisk APK Direct Download Link (v25.2):

    Github Project Page:

    HuskyDG's Forked version of Magisk "Delta" Direct Download Link:

    Github Project Page:

    All original boot images come from NVIDIA's Gameworks:
    SPECIAL THANKS TO OUR FRIENDS IN THE XDA COMMUNITY <333
    Thank you to @topjohnwu for making Magisk
    @huskydg For making the forked magisk with magiskhide enabled and other features
    @nooted1 for teaching us about the magisk variant "delta" that has magiskhide still configured inside the apk
    @ajolly for their efforts in educating us about safetynet modules that can be used within magisk
    @louforgiveno for their efforts in reverse engineering apks, determining that it would be better to clear data in the google playstore instead of cache, and providing excellent feedback on pretty much every step of the way.
    @abc1054 for testing the ai upscaler and teaching me how to even use the silly thing.
    @Zer0_rulz for testing the upscaler and teaching us about link2sd and providing a useful idea for studies, to "freeze apps" as opposed to straight deletion in tests. I will use both methods in the future!
    @pinvok3 for their script they made to teach us how to more efficiently locate the apps tied to the ai upscaler and determining the "tvsettings.apk" to potentially be culpable in jailing our upscaler. They also taught me about the dolby vision feature on the shield
    @Renate for allowing me to bother her in the AVB thread while I try to learn how to talk to people like her. haha
    @Manzing for stepping up and being the hero we needed for the 2017 shield community! They were able to locate the correct pathing for the OTA Firmware as well as provide us the stock 9.1 boot and complete OTA!!
    @I_did_it_just_tmrrow For taking the time to verify magisk is able to indeed patch the 2015 version of the Shield HERE and more so they explained the boot images provided on gameworks for the 2015 version have the same hash, therefore a patched boot will work on both the 16gb and 500gb models. Thank you!

    AI UPSCALER FIX:
    THERE'S SOME TROUBLE WITH THE UPSCALER STILL, THE COMMUNITY IS WORKING TOGETHER IN THE COMMENTS BELOW
    Please note that patching the boot with Magisk causes problems like the AI upscaler and Dolby vision being unavailable. You may want to wait for updates unless you have a reason to root with stock but otherwise feel free to join us in troubleshooting!

    NOTE THAT THIS METHOD REQUIRES A FIX SO ONE COULD RUN ADB AS ROOT OUTSIDE OF THE SHELL. (adb shell su works, but not adb root outside of shell) Trying to mod this binary. Bare with me

    Verified Working on the Shield:
    3
    I wanted to share something I discovered today that I didn't know about before and this deals with TWRP.

    Today I rewrote a GUIDE going over how to install Lineage OS on the shield.

    I noticed that TWRP when opened will then establish a root shell with the device named RECOVERY
    2.png

    So I adb shell ls and noticed that the contents /are not/ the same as what we see in a regular adb shell or in root exploring apps.
    1.PNG
    In fact, the view we are used to seeing is referred to as "system_root" as listed above. If you were to ls that, you would see your traditional filesystem layout.

    So therefore I was not seeing the full picture before... There's files here I pulled that I hadn't read before, I have to sort between the leftover lineage garbage and what not but I will share the native file dump later.

    This also makes me wonder if I was trying to flash the "roms" wrong for this device. Maybe a new approach would be to make a modified and preinstalled system_root that could be adb pushed.

    Not sure just wanted to share

    --edit have to select the MOUNT option in TWRP and then system + vendor to see the full picture, otherwise a lot of empty folders
    3
    I'm using 8.2.3. The newer 9 versions seem kind of sluggish. But the script should work on 9 regardless.

    Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
    Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this. :D

    Jtag is usually lower level stuff and I'm pretty sure it's undocumented. If it exists even.
    I just remember, that on a previous phone (Sony Xperia) the drm keys were wiped once you unlock the bootloader, resulting in worse Camera image quality.

    Considering that the upscale works correctly after unroot/relocking, I guess this would only be a soft lock. But still could be registered in the hardware somewhere, where we have no access to. Maybe it's still patchable though.
    3
    @pinvok3 Gosh WOW just wow! Thank You for your Amazing Share!! I will absolutely follow your advice and I will get that app pulled now to poke around.

    Are you rolling 8.2.3 or one of the 9's btw??

    Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
    3
    Okay, I'm grasping straws right now, but my shield just crashed after I have started a movie with Dolby Vision enabled. Can someone confirm if Dolby Vision is grayed out (unavailable) on rooted devices but available on nonrooted ones? After this fix I was able to enable Dolby Vision but my system just died with this log:

    12-20 23:12:18.951 3725 3839 E WindowManager: Exception checking for game stream. Exception: android.content.pm.PackageManager$NameNotFoundException: ComponentInfo{com.android.tv.settings/.MainSettings}
    12-20 23:12:18.951 3725 3839 I InputDispatcher: Dropped event because of pending overdue app switch.
    12-20 23:12:18.953 3725 3864 E AudioService: Audioserver died.
    12-20 23:12:18.982 4578 5347 D DolbyAudioService: IMs12 implementation died... Restoring settings after restart
    12-20 23:12:18.983 4578 5347 D DolbyAudioService: Attempting to connect to IMs12
    12-20 23:12:18.992 4578 12382 I DolbyAudioService: Waiting 1 second before attempting to connect to IMs12...
    12-20 23:12:19.037 12385 12385 D audiohalservicemsd: main() Starting [email protected] from vendor/dolby.
    12-20 23:12:19.050 12385 12385 D : Calling decrypt_blob. err(0)
    12-20 23:12:19.056 3432 3432 E Ipprotectd: decrypt_blob: Error during launch operation. err(0xffff0011)
    12-20 23:12:19.056 3432 3432 E Ipprotectd: Error occurred at decryption. err(ffff0011)
    12-20 23:12:19.058 12385 12385 E : Decryption failed
    12-20 23:12:19.058 12385 12385 E : decrypt_blob failed! err(0)
    12-20 23:12:19.058 12385 12385 E : Failed to decrypt.
    12-20 23:12:19.058 12385 12385 E : Failed decrypt .text section.
    12-20 23:12:19.059 12385 12385 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x4ec98e90 in tid 12385 (android.hardwar), pid 12385 (android.hardwar)
    12-20 23:12:19.062 12384 12384 I ServiceManagement: Removing namespace from process name [email protected] to [email protected].

    It seems like some encrypted communication fails which takes the whole system with it. It makes me more suspicious that the bootloader unlock removes/hides/blocks some DRM keys required for AI/Dolby Audio to work. If we could somehow hook into the bootloader unlocking phase to see what's happening ..