BOOTMOD - Root your Shield In 1 minute (2015, 2017, & 2019)

[louforgiveno]

U mean something like these?

Yes, but unfortunately I'm not sure which apk it is in....was hoping it was standalone...but looked through list yesterday and didn't find anything pertaining to upscaling....so yeah its probably buried in one of those apps....gonna be a pain to track it down....ugh

 

[jenneh]

Gosh it's really exciting to see everyone working together on this! I will join you guys however I can tomorrow if y'all don't figure something out before then. Thanks everyone!!!

 

[Zer0_rulz]

I installed link2sd to get a better view, maybe one of these apk's that ai upscaling are bundled on it something like that

 

[pinvok3]

Thanks for the tremendous work!

I do have the same issue (v8.2.3). I can enable AI upscaling, but it always reverts back to 'Enhanced' as the media is unsupported. If I play 4k media it correctly says that it doesn't need to upscale. 1080p is always unsupported. At least no unlocked bootloader error anymore.

This happens on Kodi, NextTube and Netflix. I remember vividly that the upscaling worked on Netflix and NextTube before the rooting. I've followed the guide completely, also reset Google Play Services and all that.

Could it be, because I have no Google Account linked, and they need one for fancy data collection?

Before the fix, even Enhanced wasn't available so I'm happy already. The progress being made is really great.

If I can help with something, I'll happily support. I'm a software engineer but never have worked on Android related stuff. So I need at least some pointers where to look.

/Edit: I have recently changed from TV to a projector. So I can't guarantee that it's not a display configuration issue. But it's a 4k/HDR10 projector. So it should act like a normal 4k TV.

 

[abc1054]

Thanks for all your hard works

 

[jenneh]

1. I might have misread what Nooted said, and assumed they got the upscaler working when maybe they were only referring to the root on stock part and being able to run apps not normally allowed on root.

2. That being said I did a test today to try to determine if using magiskhide settings with safetynet could Actually Even fix our issue and according to what I tried it cannot.

Here's what I did: I enabled magiskhide on literally everything on the machine, reboot.

Go into settings and I signed out of my google account, force stopped every single app installed and system app, cleared all data of everything, disabled every app that would allow it, uninstalled every update for the apps that would allow, and rebooted. Tried with and without google login and same problem.

3. I have corrected the title of this thread until an upscaler method can be fully found.

4. How I plan to proceed tomorrow:

I want to go through and start uninstalling apks, partition by partition, to see what happens. What does it break? Can we even delete some of these apps without some sort of weird crypto back-end break, etc? Could it be possible to find the app containing the Upscaler by means of elimination? IE keep deleting things until the upscaler option disapears or goes grey all together? Going to start in /vendor... there's some interesting apks in there.

If we can find the apk maybe we can pull it and do things with it

edit --I just thought about it but I forgot to try to lock the bootloader after all that and try again. I will try tomorrow

 

[abc1054]

Jenneh, your totally awesome. Hope you and your family have a great holiday.. thanks for all you do.

 

[Zer0_rulz]

1. I might have misread what Nooted said, and assumed they got the upscaler working when maybe they were only referring to the root on stock part and being able to run apps not normally allowed on root.

2. That being said I did a test today to try to determine if using magiskhide settings with safetynet could Actually Even fix our issue and according to what I tried it cannot.

Here's what I did: I enabled magiskhide on literally everything on the machine, reboot.

Go into settings and I signed out of my google account, force stopped every single app installed and system app, cleared all data of everything, disabled every app that would allow it, uninstalled every update for the apps that would allow, and rebooted. Tried with and without google login and same problem.

3. I have corrected the title of this thread until an upscaler method can be fully found.

4. How I plan to proceed tomorrow:

I want to go through and start uninstalling apks, partition by partition, to see what happens. What does it break? Can we even delete some of these apps without some sort of weird crypto back-end break, etc? Could it be possible to find the app containing the Upscaler by means of elimination? IE keep deleting things until the upscaler option disapears or goes grey all together? Going to start in /vendor... there's some interesting apks in there.

If we can find the apk maybe we can pull it and do things with it

edit --I just thought about it but I forgot to try to lock the bootloader after all that and try again. I will try tomorrow

I think freezing an apk will work, link2sd or sd maid can do it

 

[Zer0_rulz]

I want to try to freeze these apk's to find the ai upscaler, but my question is, is it fine to install twrp on 9.1.1?, so i could have a backup incase of bootloops

 

[jenneh]

I want to try to freeze these apk's to find the ai upscaler, but my question is, is it fine to install twrp on 9.1.1?, so i could have a backup incase of bootloops

You can def run TWRP, now backing up may be a different story when you go to restore. I was never actually successful with a restore, always bootlooped. Then again I never tried stock and that was a year ago so who knows. If it works for you please let me know.

Just to rule it out, I tried relocking the bootloader today with all the steps applied and the shield did not like that. It refused to boot entirely so I am going to play magic eraser today and I look forward to your results playing Mr Freeze and we will see what happens! I always like it when something can be turned off instead of removed or at least have that option available, :0

 

[pinvok3]

Maybe I can propose a different way?

You can configure the upscaling through the Android system settings, they are therefore also available with `adb shell settings list system`.

I guess these are the settings the upscaler uses.

nv_upscale_detail=3
nv_upscale_filter=auto

The 3 is AI Enhancement.

I would dump all system apks, decompile them and search for "nv_upscale" strings.

I wrote a little script that can dump all system apks. Requires nodejs.

Spoiler

'use strict';

const exec = require('child_process').exec;
const fs = require('fs/promises');

async function getAppPath(appName) {
    return new Promise((resolve, reject) => {
        exec(`adb shell pm path ${appName}`, (stdout, stderr) => {
            resolve(stderr.replace('package:', '').trim());
        })
    })
}

async function dumpSystemAppNames() {
    return new Promise((resolve, reject) => {
        exec(`adb shell pm  list packages -s`, (stdout, stderr) => {
            resolve(stderr.split('\n').map(x => x.replace('package:', '')));
        })
    })
}

async function getSystemAPKPaths() {
    const systemApps = await dumpSystemAppNames();
    const apkPaths = [];

    for (let app of systemApps) {
        console.log("Getting Path for: ", app);
        const apkPath = await getAppPath(app);
        apkPaths.push({apk: app, path: apkPath});
    }

    return apkPaths;
}

async function pullAPK(path, location) {
    return new Promise((resolve, reject) => {
        exec(`adb pull "${path}" "${location}"`, (stdout, stderr) => {
            resolve(stdout + "\n" + stderr);
        })
    })
}

async function pullAPKs(apkInfo) {
    const dumpFolder = `${process.cwd()}/system_apks`;
 
    try {
        await fs.access(dumpFolder);
    } catch (ex) {
        await fs.mkdir(dumpFolder);
    }

    for (const apk of apkInfo) {
        await pullAPK(apk.path, dumpFolder);
    }
}

async function main() {
    const paths = await getSystemAPKPaths();
    await pullAPKs(paths);
}

main();

I guess we can extend this script and add JADX. Go through all decompiled apks and look out for the config strings.
This way we will find all apps that are using the configuration and can be sure we are not missing a few.

/edit:

Okay, I did just that. This string seems to be used by TvSettings very often. It seems to controlling a certain service/library and is also responsible for checking the upscaling status. "Unlocked bootloader" is displayed by that app. I would suggest to concentrate on that App for now, especially the HWCService/INVDisplay and Upscale related files.

A cold guess into the dark:
Magisk Hide currently doesn't hide behind that specific display service/module and only behind the apps. The module blocks the upscaling because it still sees the root, but the apps think everything is fine.

Or we lost some kind of DRM keys during the boot unlocking phase.

There seems to be communication between the hardware layer and the app. Primarily the interface [email protected]::INvDisplay could be interesting. This is where the upscale fail reason gets pulled from and should be responsible for activating the upscaling. I hope that the boot unlock isn't somehow reversibly burned into the hardware.

 

[jenneh]

@pinvok3 Gosh WOW just wow! Thank You for your Amazing Share!! I will absolutely follow your advice and I will get that app pulled now to poke around.

Are you rolling 8.2.3 or one of the 9's btw??

Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things

 

[pinvok3]

I'm using 8.2.3. The newer 9 versions seem kind of sluggish. But the script should work on 9 regardless.

Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things

Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this.

Jtag is usually lower level stuff and I'm pretty sure it's undocumented. If it exists even.
I just remember, that on a previous phone (Sony Xperia) the drm keys were wiped once you unlock the bootloader, resulting in worse Camera image quality.

Considering that the upscale works correctly after unroot/relocking, I guess this would only be a soft lock. But still could be registered in the hardware somewhere, where we have no access to. Maybe it's still patchable though.

 

[jenneh]

Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this.

Thank You for even taking the time!! Your thirty minutes taught me more than a whole year, so I hope you get paid well doing whatever you do at your day job xD You're a legend in my book

I got the apk pulled for anyone who might want to look at it.

TvSettings.apk

drive.google.com

This is the 8.2.3 version

Here's Jadx

Releases · skylot/jadx

Dex to Java decompiler. Contribute to skylot/jadx development by creating an account on GitHub.

github.com

Here's a beginner friendly video using jadx and android studio to decompile apks

 

[louforgiveno]

Thank You for even taking the time!! Your thirty minutes taught me more than a whole year, so I hope you get paid well doing whatever you do at your day job xD You're a legend in my book

I got the apk pulled for anyone who might want to look at it.

TvSettings.apk

drive.google.com

This is the 8.2.3 version

Here's Jadx

Releases · skylot/jadx

Dex to Java decompiler. Contribute to skylot/jadx development by creating an account on GitHub.

github.com

Here's a beginner friendly video using jadx and android studio to decompile apks

View attachment 5787803

Ok, so it appears confirmed that it's the Unlocked Bootloader that keeps ai upscaling from working.(Deepisp)...next see if i can "interfere" with the reporting of unlocked....
But first.....back to the world cup final!

 

[pinvok3]

Okay, I'm grasping straws right now, but my shield just crashed after I have started a movie with Dolby Vision enabled. Can someone confirm if Dolby Vision is grayed out (unavailable) on rooted devices but available on nonrooted ones? After this fix I was able to enable Dolby Vision but my system just died with this log:

12-20 23:12:18.951 3725 3839 E WindowManager: Exception checking for game stream. Exception: android.content.pm.PackageManager$NameNotFoundException: ComponentInfo{com.android.tv.settings/.MainSettings}
12-20 23:12:18.951 3725 3839 I InputDispatcher: Dropped event because of pending overdue app switch.
12-20 23:12:18.953 3725 3864 E AudioService: Audioserver died.
12-20 23:12:18.982 4578 5347 D DolbyAudioService: IMs12 implementation died... Restoring settings after restart
12-20 23:12:18.983 4578 5347 D DolbyAudioService: Attempting to connect to IMs12
12-20 23:12:18.992 4578 12382 I DolbyAudioService: Waiting 1 second before attempting to connect to IMs12...
12-20 23:12:19.037 12385 12385 D audiohalservicemsd: main() Starting [email protected] from vendor/dolby.
12-20 23:12:19.050 12385 12385 D : Calling decrypt_blob. err(0)
12-20 23:12:19.056 3432 3432 E Ipprotectd: decrypt_blob: Error during launch operation. err(0xffff0011)
12-20 23:12:19.056 3432 3432 E Ipprotectd: Error occurred at decryption. err(ffff0011)
12-20 23:12:19.058 12385 12385 E : Decryption failed
12-20 23:12:19.058 12385 12385 E : decrypt_blob failed! err(0)
12-20 23:12:19.058 12385 12385 E : Failed to decrypt.
12-20 23:12:19.058 12385 12385 E : Failed decrypt .text section.
12-20 23:12:19.059 12385 12385 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x4ec98e90 in tid 12385 (android.hardwar), pid 12385 (android.hardwar)
12-20 23:12:19.062 12384 12384 I ServiceManagement: Removing namespace from process name [email protected] to [email protected].

It seems like some encrypted communication fails which takes the whole system with it. It makes me more suspicious that the bootloader unlock removes/hides/blocks some DRM keys required for AI/Dolby Audio to work. If we could somehow hook into the bootloader unlocking phase to see what's happening ..

 

[jenneh]

(I had to ask @pinvok3 how) but in audio settings under advanced settings is the option.

This is on stock with root.

CONFIRMED

Dolby Audio Processing is greyed out on the Dev rooted 8.2.3 image with no ability to toggle on

(excuse my potato phone)

 

[pinvok3]

Perfect. that's good to know. Thanks!

So your fix seems to enable the option again, but causes a crash in the system upon enabling. I guess the part that decodes Dolby signals and upscales media is denying it's work for some reason or another.

I remember that (At least on my old Xperia) I could backup the DRM keys before unlocking the bootloader and then reapply it after the root by flasing the binary file to some subdevice. Maybe it can be solved the same, but my knowledge is really limited here.

 

[louforgiveno]

I'm uploading a zip containing the decompiled TvSettings apk in case anyone else wants to look through the .smali files....there's a lot here...kinda like finding a needle in a haystack with my abilities.
I've found a few interesting entries but haven't done any testing yet, just gradually looking through smali files that mention DeepISP and Upscaling/Video to get an idea of where edits can possibly be made.
Here..

TvSettings_decompiled.zip

drive.google.com

 

[topbilal]

Does the boot images work for Nvidia shield 2017 16gb model?