BOOTMOD - Root your Shield In 1 minute (2015, 2017, & 2019)

Search This thread
By:
Advanced…
Z

Zer0_rulz

Senior Member
Dec 22, 2014
86
21
I installed link2sd to get a better view, maybe one of these apk's that ai upscaling are bundled on it something like that
 

Attachments

  • 20221216_191422.jpg
    20221216_191422.jpg
    7.5 MB · Views: 41
  • 20221216_191410.jpg
    20221216_191410.jpg
    7.6 MB · Views: 42
  • 20221216_191356.jpg
    20221216_191356.jpg
    7.3 MB · Views: 31
  • 20221216_191346.jpg
    20221216_191346.jpg
    6.9 MB · Views: 48
  • Like
Reactions: jenneh and louforgiveno
P

pinvok3

Member
Sep 15, 2017
8
12
Thanks for the tremendous work!

I do have the same issue (v8.2.3). I can enable AI upscaling, but it always reverts back to 'Enhanced' as the media is unsupported. If I play 4k media it correctly says that it doesn't need to upscale. 1080p is always unsupported. At least no unlocked bootloader error anymore. :)

This happens on Kodi, NextTube and Netflix. I remember vividly that the upscaling worked on Netflix and NextTube before the rooting. I've followed the guide completely, also reset Google Play Services and all that.

Could it be, because I have no Google Account linked, and they need one for fancy data collection?

Before the fix, even Enhanced wasn't available so I'm happy already. The progress being made is really great.

If I can help with something, I'll happily support. I'm a software engineer but never have worked on Android related stuff. So I need at least some pointers where to look. :)

/Edit: I have recently changed from TV to a projector. So I can't guarantee that it's not a display configuration issue. But it's a 4k/HDR10 projector. So it should act like a normal 4k TV.
 
Last edited:
  • Like
  • Love
Reactions: jenneh and louforgiveno
jenneh

jenneh

Senior Member
Mar 26, 2014
688
454
Razer Phone 2
Nvidia Shield TV & TV Pro (2019)
1. I might have misread what Nooted said, and assumed they got the upscaler working when maybe they were only referring to the root on stock part and being able to run apps not normally allowed on root.

2. That being said I did a test today to try to determine if using magiskhide settings with safetynet could Actually Even fix our issue and according to what I tried it cannot.

Here's what I did: I enabled magiskhide on literally everything on the machine, reboot.

Go into settings and I signed out of my google account, force stopped every single app installed and system app, cleared all data of everything, disabled every app that would allow it, uninstalled every update for the apps that would allow, and rebooted. Tried with and without google login and same problem.

3. I have corrected the title of this thread until an upscaler method can be fully found.

4. How I plan to proceed tomorrow:

I want to go through and start uninstalling apks, partition by partition, to see what happens. What does it break? Can we even delete some of these apps without some sort of weird crypto back-end break, etc? Could it be possible to find the app containing the Upscaler by means of elimination? IE keep deleting things until the upscaler option disapears or goes grey all together? Going to start in /vendor... there's some interesting apks in there.

If we can find the apk maybe we can pull it and do things with it

edit --I just thought about it but I forgot to try to lock the bootloader after all that and try again. I will try tomorrow
 
Last edited:
  • Like
Reactions: louforgiveno
Z

Zer0_rulz

Senior Member
Dec 22, 2014
86
21
jenneh said:
1. I might have misread what Nooted said, and assumed they got the upscaler working when maybe they were only referring to the root on stock part and being able to run apps not normally allowed on root.

2. That being said I did a test today to try to determine if using magiskhide settings with safetynet could Actually Even fix our issue and according to what I tried it cannot.

Here's what I did: I enabled magiskhide on literally everything on the machine, reboot.

Go into settings and I signed out of my google account, force stopped every single app installed and system app, cleared all data of everything, disabled every app that would allow it, uninstalled every update for the apps that would allow, and rebooted. Tried with and without google login and same problem.

3. I have corrected the title of this thread until an upscaler method can be fully found.

4. How I plan to proceed tomorrow:

I want to go through and start uninstalling apks, partition by partition, to see what happens. What does it break? Can we even delete some of these apps without some sort of weird crypto back-end break, etc? Could it be possible to find the app containing the Upscaler by means of elimination? IE keep deleting things until the upscaler option disapears or goes grey all together? Going to start in /vendor... there's some interesting apks in there.

If we can find the apk maybe we can pull it and do things with it

edit --I just thought about it but I forgot to try to lock the bootloader after all that and try again. I will try tomorrow
Click to expand...
Click to collapse
I think freezing an apk will work, link2sd or sd maid can do it
 
  • Like
Reactions: jenneh
jenneh

jenneh

Senior Member
Mar 26, 2014
688
454
Razer Phone 2
Nvidia Shield TV & TV Pro (2019)
Zer0_rulz said:
I want to try to freeze these apk's to find the ai upscaler, but my question is, is it fine to install twrp on 9.1.1?, so i could have a backup incase of bootloops
Click to expand...
Click to collapse
You can def run TWRP, now backing up may be a different story when you go to restore. I was never actually successful with a restore, always bootlooped. Then again I never tried stock and that was a year ago so who knows. If it works for you please let me know.

Just to rule it out, I tried relocking the bootloader today with all the steps applied and the shield did not like that. It refused to boot entirely so I am going to play magic eraser today and I look forward to your results playing Mr Freeze and we will see what happens! I always like it when something can be turned off instead of removed or at least have that option available, :0
 
Last edited:
  • Like
Reactions: louforgiveno
P

pinvok3

Member
Sep 15, 2017
8
12
Maybe I can propose a different way?

You can configure the upscaling through the Android system settings, they are therefore also available with `adb shell settings list system`.

I guess these are the settings the upscaler uses.
Code: 
nv_upscale_detail=3
nv_upscale_filter=auto

The 3 is AI Enhancement.

I would dump all system apks, decompile them and search for "nv_upscale" strings.

I wrote a little script that can dump all system apks. Requires nodejs.
JavaScript: 
'use strict';

const exec = require('child_process').exec;
const fs = require('fs/promises');

async function getAppPath(appName) {
    return new Promise((resolve, reject) => {
        exec(`adb shell pm path ${appName}`, (stdout, stderr) => {
            resolve(stderr.replace('package:', '').trim());
        })
    })
}

async function dumpSystemAppNames() {
    return new Promise((resolve, reject) => {
        exec(`adb shell pm  list packages -s`, (stdout, stderr) => {
            resolve(stderr.split('\n').map(x => x.replace('package:', '')));
        })
    })
}

async function getSystemAPKPaths() {
    const systemApps = await dumpSystemAppNames();
    const apkPaths = [];

    for (let app of systemApps) {
        console.log("Getting Path for: ", app);
        const apkPath = await getAppPath(app);
        apkPaths.push({apk: app, path: apkPath});
    }

    return apkPaths;
}

async function pullAPK(path, location) {
    return new Promise((resolve, reject) => {
        exec(`adb pull "${path}" "${location}"`, (stdout, stderr) => {
            resolve(stdout + "\n" + stderr);
        })
    })
}

async function pullAPKs(apkInfo) {
    const dumpFolder = `${process.cwd()}/system_apks`;
 
    try {
        await fs.access(dumpFolder);
    } catch (ex) {
        await fs.mkdir(dumpFolder);
    }

    for (const apk of apkInfo) {
        await pullAPK(apk.path, dumpFolder);
    }
}

async function main() {
    const paths = await getSystemAPKPaths();
    await pullAPKs(paths);
}

main();

I guess we can extend this script and add JADX. Go through all decompiled apks and look out for the config strings.
This way we will find all apps that are using the configuration and can be sure we are not missing a few.

/edit:

Okay, I did just that. This string seems to be used by TvSettings very often. It seems to controlling a certain service/library and is also responsible for checking the upscaling status. "Unlocked bootloader" is displayed by that app. I would suggest to concentrate on that App for now, especially the HWCService/INVDisplay and Upscale related files.

A cold guess into the dark:
Magisk Hide currently doesn't hide behind that specific display service/module and only behind the apps. The module blocks the upscaling because it still sees the root, but the apps think everything is fine.

Or we lost some kind of DRM keys during the boot unlocking phase.

There seems to be communication between the hardware layer and the app. Primarily the interface [email protected]::INvDisplay could be interesting. This is where the upscale fail reason gets pulled from and should be responsible for activating the upscaling. I hope that the boot unlock isn't somehow reversibly burned into the hardware.
 
Last edited:
  • Like
  • Wow
Reactions: Zer0_rulz, louforgiveno and jenneh
jenneh

jenneh

Senior Member
Mar 26, 2014
688
454
Razer Phone 2
Nvidia Shield TV & TV Pro (2019)
@pinvok3 Gosh WOW just wow! Thank You for your Amazing Share!! I will absolutely follow your advice and I will get that app pulled now to poke around.

Are you rolling 8.2.3 or one of the 9's btw??

Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
 
  • Like
  • Love
Reactions: pinvok3, Zer0_rulz and louforgiveno
P

pinvok3

Member
Sep 15, 2017
8
12
I'm using 8.2.3. The newer 9 versions seem kind of sluggish. But the script should work on 9 regardless.

Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
Click to expand...
Click to collapse
Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this. :D

Jtag is usually lower level stuff and I'm pretty sure it's undocumented. If it exists even.
I just remember, that on a previous phone (Sony Xperia) the drm keys were wiped once you unlock the bootloader, resulting in worse Camera image quality.

Considering that the upscale works correctly after unroot/relocking, I guess this would only be a soft lock. But still could be registered in the hardware somewhere, where we have no access to. Maybe it's still patchable though.
 
  • Like
  • Love
Reactions: Zer0_rulz, louforgiveno and jenneh
jenneh

jenneh

Senior Member
Mar 26, 2014
688
454
Razer Phone 2
Nvidia Shield TV & TV Pro (2019)
pinvok3 said:
Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this. :D
Click to expand...
Click to collapse
Thank You for even taking the time!! Your thirty minutes taught me more than a whole year, so I hope you get paid well doing whatever you do at your day job xD You're a legend in my book

I got the apk pulled for anyone who might want to look at it.

TvSettings.apk

drive.google.com drive.google.com

This is the 8.2.3 version

Here's Jadx
github.com

Releases · skylot/jadx

Dex to Java decompiler. Contribute to skylot/jadx development by creating an account on GitHub.
github.com github.com

Here's a beginner friendly video using jadx and android studio to decompile apks

1671381203988.png
 
Last edited:
  • Like
  • Love
Reactions: pinvok3 and louforgiveno
louforgiveno

louforgiveno

Senior Member
Jun 24, 2010
3,828
2,459
jenneh said:
Thank You for even taking the time!! Your thirty minutes taught me more than a whole year, so I hope you get paid well doing whatever you do at your day job xD You're a legend in my book

I got the apk pulled for anyone who might want to look at it.

TvSettings.apk

drive.google.com drive.google.com

This is the 8.2.3 version

Here's Jadx
github.com

Releases · skylot/jadx

Dex to Java decompiler. Contribute to skylot/jadx development by creating an account on GitHub.
github.com github.com

Here's a beginner friendly video using jadx and android studio to decompile apks

View attachment 5787803
Click to expand...
Click to collapse
Ok, so it appears confirmed that it's the Unlocked Bootloader that keeps ai upscaling from working.(Deepisp)...next see if i can "interfere" with the reporting of unlocked....
But first.....back to the world cup final!
Screenshot_20221218-091507_APK Editor Pro.jpg
 
  • Like
  • Love
Reactions: jenneh and Zer0_rulz
P

pinvok3

Member
Sep 15, 2017
8
12
Okay, I'm grasping straws right now, but my shield just crashed after I have started a movie with Dolby Vision enabled. Can someone confirm if Dolby Vision is grayed out (unavailable) on rooted devices but available on nonrooted ones? After this fix I was able to enable Dolby Vision but my system just died with this log:

12-20 23:12:18.951 3725 3839 E WindowManager: Exception checking for game stream. Exception: android.content.pm.PackageManager$NameNotFoundException: ComponentInfo{com.android.tv.settings/.MainSettings}
12-20 23:12:18.951 3725 3839 I InputDispatcher: Dropped event because of pending overdue app switch.
12-20 23:12:18.953 3725 3864 E AudioService: Audioserver died.
12-20 23:12:18.982 4578 5347 D DolbyAudioService: IMs12 implementation died... Restoring settings after restart
12-20 23:12:18.983 4578 5347 D DolbyAudioService: Attempting to connect to IMs12
12-20 23:12:18.992 4578 12382 I DolbyAudioService: Waiting 1 second before attempting to connect to IMs12...
12-20 23:12:19.037 12385 12385 D audiohalservicemsd: main() Starting [email protected] from vendor/dolby.
12-20 23:12:19.050 12385 12385 D : Calling decrypt_blob. err(0)
12-20 23:12:19.056 3432 3432 E Ipprotectd: decrypt_blob: Error during launch operation. err(0xffff0011)
12-20 23:12:19.056 3432 3432 E Ipprotectd: Error occurred at decryption. err(ffff0011)
12-20 23:12:19.058 12385 12385 E : Decryption failed
12-20 23:12:19.058 12385 12385 E : decrypt_blob failed! err(0)
12-20 23:12:19.058 12385 12385 E : Failed to decrypt.
12-20 23:12:19.058 12385 12385 E : Failed decrypt .text section.
12-20 23:12:19.059 12385 12385 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x4ec98e90 in tid 12385 (android.hardwar), pid 12385 (android.hardwar)
12-20 23:12:19.062 12384 12384 I ServiceManagement: Removing namespace from process name [email protected] to [email protected].
Click to expand...
Click to collapse

It seems like some encrypted communication fails which takes the whole system with it. It makes me more suspicious that the bootloader unlock removes/hides/blocks some DRM keys required for AI/Dolby Audio to work. If we could somehow hook into the bootloader unlocking phase to see what's happening ..
 
  • Like
  • Love
Reactions: Zer0_rulz, jenneh and louforgiveno
P

pinvok3

Member
Sep 15, 2017
8
12
Perfect. that's good to know. Thanks!

So your fix seems to enable the option again, but causes a crash in the system upon enabling. I guess the part that decodes Dolby signals and upscales media is denying it's work for some reason or another.

I remember that (At least on my old Xperia) I could backup the DRM keys before unlocking the bootloader and then reapply it after the root by flasing the binary file to some subdevice. Maybe it can be solved the same, but my knowledge is really limited here.
 
  • Wow
  • Like
Reactions: louforgiveno and jenneh
louforgiveno

louforgiveno

Senior Member
Jun 24, 2010
3,828
2,459
I'm uploading a zip containing the decompiled TvSettings apk in case anyone else wants to look through the .smali files....there's a lot here...kinda like finding a needle in a haystack with my abilities.
I've found a few interesting entries but haven't done any testing yet, just gradually looking through smali files that mention DeepISP and Upscaling/Video to get an idea of where edits can possibly be made.
Here..

TvSettings_decompiled.zip

drive.google.com drive.google.com
 
Last edited:
  • Love
Reactions: jenneh
You must log in or register to reply here.

Similar threads

jenneh
Root Nvidia Shield TV Pro 2019 Version
Replies
103
Views
28K
jenneh
jenneh
M
How to Root and install Magisk on NSTV 2019 Pro v8.2.0
Replies
94
Views
20K
M
mrhamed
jenneh
2015, 2017, & 2019 Nvidia Shield TV Firmware Repo & Source Code Repo
Replies
41
Views
7K
Manzing
Manzing
T
HOWTO: Install developer image for 2019 shield tv pro !READ WARNING!
Replies
3
Views
5K
elliwigy
elliwigy
M
How to skip(bypass) Google sign-in NSTV Pro 2019 with any firmware versions!
Replies
28
Views
5K
D
dib_

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 3
    jenneh
    jenneh
    An update has been released and pushed to all the zip files. (These are just QoL things for the BOOTMOD script.) As usual, the OP's guide has been updated again with the new source code and pictures.

    You are now presented with a menu that will show if your device is connected via adb.
    SYSTEM MENU.PNG


    In case you forgot to adb connect, option 3 will allow you to type your ip address and connect to the shield.


    Option 2 will allow you to install just the magisk apk, this will be useful for updates.
    apk.PNG


    Option 1 pushes the shield into the bootloader menu and verifies it is posting before entering the flash menu, like the original version did before.

    "Reboot shield to system" "escapes" have been added to the menu in a couple of places.

    A Friendly reminder was added to the stock boot flash, to re-engage bootloader lock for upscaler, and a pause before system reset to do so.
    View
    2
    K
    karim-ps
    Also makes no sense for me. I flashed it with manual command fastboot flash boot xxxximg and I have root now

    Thanks for the good work
    View
    2
    jenneh
    jenneh
    An update was made to the OP, the instructions have been edited, pictures added, sources and source code added, and all dl links are updated.

    CHANGES:
    13.png

    The bootmod batch script has been updated so that you can choose which boot image to flash. This script will now install the magisk apk as well.

    If you would prefer to boot into the bootloader yourself, and flash only the bootmod as we did before, .deltamodonly and .magiskmodonly batch files have been provided. Simply boot into the bootloader and run your choice of batch file, then manually install the apk.

    In the directory, bootmod1.img is the Original TopJohnWu Magisk, bootmod2.img is the forked version by HuskyDG. The boot.img file is the stock boot image. Having the original boot.img makes it easier to flash back to stock if needed.

    This was put together in this fashion to make life easier for myself so I can share a single folder for each firmware.. instead of having to share 3 individual files for each firmware. The files are small enough I would hope this doesn't cause too much trouble for anyone with download size restrictions.

    PS The bootmods were patched using my unrooted Nokia G20 to verify that any android device can use magisk with or without root to make these "mods". This may have been common knowledge for others but I didn't know know until now. So. :giggle:

    Simple 1 min demo:
    View
    2
    I
    I_did_it_just_tmrrow
    jenneh said:
    You would just need to download the firmware you want from gameworks for the 2015 shield and then patch the boot like shown here. If you have any trouble or if you would rather me make one for you, just tell me which firmware you want and I can build one.
    View attachment 5855213
    Click to expand...
    Click to collapse
    Done and success.

    My patched image, extract from the zip "nv-recovery-image-shield-atv-2015-pro-9.0.0.zip" is here in attachment. Source (v9.0.0).

    This image should work on device (both orig. boot.img had the same md5/sha256):
    • NVIDIA SHIELD ANDROID TV 2015 with 16GB EMMC
    • Codename: foster
    • NVIDIA SHIELD ANDROID TV PRO 2015 with 512GB HDD (or more if you changed your SATA-Device)
    • Codename: foster_e_hdd

    Code: 
    certutil -hashfile boot-magisk_patched-25210.img SHA256
SHA256-Hash von boot-magisk_patched-25210.img:
2096f51684858f4d5ea402879203743e85d0728e3aee37c7f91f7af24aa2ea25

certutil -hashfile boot-magisk_patched-25210.img MD5
MD5-Hash von boot-magisk_patched-25210.img:
e86d32f620979b282fcad1ef8d1167bb

====

certutil -hashfile bootOriginal.img MD5
MD5-Hash von bootOriginal.img:
1cf3a64cba4563127df659ba65fa4398

certutil -hashfile bootOriginal.img SHA256
SHA256-Hash von bootOriginal.img:
0186f1ccd67778425b5de754b83370ad5ee40194a2fa32ccc51b3cdec0bbaf7f
    View
    2
    jenneh
    jenneh
    karim-ps said:
    Chose option 2 which is HuskyDG Magisk Delta, it was flashed successfully but can no longer boot to system. Each time I reboot it goes straight to fastboot menu
    Click to expand...
    Click to collapse
    I don't have a 2017 to test with unfortunately. The 9.1.1 boot image hasn't been released on gameworks. This was a special image pulled from the OTA update that @Manzing was able to pull for us. It also doesn't make sense why image 1 wouldn't flash unless the image was missing from the folder. All the bootmods use the same script..

    One thing you can test is to reboot into the bootloader menu and run the .magiskmodonly script and see if that installs the bootmod1 for you. Then you could install the apk after rebooting to system.

    You could also try flashing it back to stock and it should just post back.

    The only difference in the code, and this is in the bootmod script too, is the number 1 and number 2 in bootmod. There is nothing here that would require Admin, nor that would stop bootmod1 from flashing when it allows the other to flash. The bootloop is another question. Maybe Manzing can weigh in and give an opinion?
    Capture.PNG
    View
  • 7
    jenneh
    jenneh
    Hello Friends~!

    We now have a working method to achieve ROOT on STOCK Firmware!

    A script has been made that can boot your shield into the bootloader, erase the old boot, flash the new boot, and install your choice of Magisk apk for you. The script is also able to revert you back to the stock boot image if needed.

    Takes only a minute or two depending if you already have adb installed, fastboot drivers setup, and bootloader unlocked. (The guide will walk you through this if you are new)

    HOW TO ROOT:

    If you are already running the STOCK firmware version you want to ROOT, Skip to step 2.
    You can check your currently installed firmware on the shield by going into Settings, selecting About, then scroll to the bottom.
    9.png

    You will see a section called SHIELD Android TV SW Version, this will show your installed FW

    STEP 1:
    Select a STOCK firmware from this THREAD, and fully install it.

    STEP 2:
    Download the BOOT MOD that correlates to your installed STOCK firmware.
    If you want to build your own "Boot Mod" the instructions are HERE

    9.1.1mods.zip

    drive.google.com drive.google.com

    9.1mods.zip

    drive.google.com drive.google.com

    9.0.0mods.zip

    drive.google.com drive.google.com

    8.2.3mods.zip

    drive.google.com drive.google.com
    Special Thanks to @Manzing for obtaining the 9.1 and 9.1.1 images for us!

    9.1.1mods2017.zip

    drive.google.com drive.google.com

    9.1mods2017.zip

    drive.google.com drive.google.com

    9.0.0mods2017.zip

    drive.google.com drive.google.com

    8.2.3mods2017.zip

    drive.google.com drive.google.com
    Special thanks to @I_did_it_just_tmrrow for taking the time to download from gameworks, patch with magisk, and install the 2015 version, and verified it works HERE as well as they verified the hashes were the same for the boot.img of the 500gb and 16gb boot.img

    9.0.0-2015-MODS.zip

    drive.google.com drive.google.com
    If you want me to add more, let me know.

    STEP 3:
    Make sure you have usb debugging enabled in settings and your shield is ON.
    This adds an additional Minute to setup time 😊😊😊

    Attach a USB-C cable to your shield and plug it into your PC.
    (Use the USB port furthest away from the HDMI Cable)
    7.png

    Go into settings, select device preferences

    8.png


    Select About, then hit the build number 7 times
    9.png


    Back out to device preferences and now select developer options
    10.png


    Then enable USB debugging and Network debugging.
    11.png


    Here's a way to install adb quickly using powershell and chocolatey.

    Open powershell as admin and copy and paste these two lines, one line at a time:
    Code: 
    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

choco install adb

    That's it!

    Note the ip address and in a terminal on your computer, connect to this ip address.

    Example: adb connect 192.168.0.10:5555
    12.png

    This will prompt the shield to allow for a connection, say yes.

    STEP 4:
    Run your choice of .bootmod, .deltamodonly, or .magiskmodonly. MORE INFO
    Simple 1 min demo:

    How to use the new .bootmod script:

    After Enabling USB Debugging and Wireless debugging, then adb connecting to your device, run the .bootmod script

    SYSTEM MENU.PNG

    If you did everything correctly, your device should be listed, and you may proceed by pressing 1 and enter.

    If you forgot to adb connect you may now do so with option 3, just type in your Shield's IP address.
    ipadd.PNG


    After you select 1 on the main menu, the script will then reboot your device into the bootloader and will wait for you to press a key so the script can run fastboot devices to verify that your device has posted.

    fastboot.PNG

    Wait to press any key until you see your shield's lights come on and then you hear the window's chime on your computer. (see 0:16 in the video) Then Press 1 if your device is listed like above.
    Run option 2 again, in case the script went too fast or you hit a key too quickly.

    If your device is still not showing, make sure you have unlocked the bootloader and installed the fastboot drivers for your device.

    DOWNLOAD:

    Shield Drivers.zip

    drive.google.com drive.google.com

    Now open Device Manager and follow the steps below:
    1.png
    2.PNG
    3.PNG
    4.PNG
    5.PNG
    NOTE THAT UNLOCKING YOUR BOOTLOADER WILL ERASE ALL DATA ON THE DEVICE!

    The shield should now be at the bootloader menu, simply select unlock bootloader
    6.PNG

    flash.PNG

    Now you can select which boot mod you would prefer. The script will erase the old boot image, flash the new one, reset, then the script will pause for us.

    6.png

    When your shield has fully rebooted and is on the main menu, you can press any key in the terminal and the script will finish the magisk installation for us by installing the apk to the device.

    apk.PNG

    If you accidentally pressed a button too quickly, you can always access the apk menu to adb install the Magisk apk.

    FULL RUNDOWN OF V2 CHANGES

    STEP 5:
    Now Opening Magisk will trigger this alert:
    MAGISK APKINSTALL.jpg


    Select OK and after the reboot, your Magisk of Choice will be fully installed!

    6.jpg


    You will now have Root and still be able to use apps and features that you shouldn't be able to. Normally with root (or at least on the Dev Rooted Images) we cannot install Disney +, but as you see, we Sure Can Now~! ;-)

    IF YOUR PLAYSTORE IS MISSING APPS, SEE THIS POST. REQUIRES MAGISK DELTA
    SOURCE CODE --- You may repurpose / share this as you see fit.

    DELTAMODONLY.BAT
    Code: 
    fastboot erase boot
fastboot flash boot bootmod2.img
fastboot reboot

    MAGISKMODONLY.BAT
    Code: 
    fastboot erase boot
fastboot flash boot bootmod1.img
fastboot reboot

    BOOTMOD.BAT ---- There is unused code, the :UNLOCK code will be removed later, it didn't work how I would have liked in testing and I forgot to remove it. It isn't harming anything right now so will remove it with the next update.
    Code: 
    @echo off
title [BOOTMOD]
color 0A
if "%1" neq "" ( goto %1)

:MENU
cls
echo BOOTMOD -- Version 2
echo =========================================
adb devices
echo =========================================
echo 1. Enter Bootloader Menu for Mod Flashing
echo 2. Enter APK Menu
echo 3. ADB Connect
echo 4. Reboot to System
echo 5. HELP
echo 6. EXIT BOOTMOD
echo =========================================
set /p answer= Please Enter your Selection:
if %answer%==1 goto BOOTLOADER
if %answer%==2 goto APK
if %answer%==3 goto ADB
if %answer%==4 goto REBOOT
if %answer%==5 goto HELP
if %answer%==6 goto EXIT
:ADB
cls
set /p answer= Type in SHIELD IP Address:
adb connect %answer%
goto MENU
 
:APK
cls
echo ===========
echo APK MENU
echo ===========
echo 1. Magisk by TopJohnWu
echo 2. Magisk Delta fork by HuskyDG
echo 3. Return to Main Menu
echo ================================
set /p answer= Please Enter your Selection:
if %answer%==1 goto MAGISKAPK
if %answer%==2 goto DELTAAPK
if %answer%==3 goto MENU

:MAGISKAPK
adb install magisk.apk
goto MENU

:DELTAAPK
adb install delta.apk
goto MENU

:HELP
cls
echo Adb must be installed on the computer and USB debugging must be enabled on the Shield.
echo You will need the Fastboot USB drivers installed on your PC.
echo Check the GUIDE on XDA for more help.
echo LINK: https://forum.xda-developers.com/t/bootmod-root-your-shield-in-1-minute-2015-2017-2019.4524873/
echo =====================================================================================
set /p answer=Press 1 to return to Main Menu:
if %answer%==1 goto MENU

:UNLOCK
cls
fastboot oem unlock
echo ==============================================================
echo Use your shield to select yes. Then press any key to continue
echo ==============================================================
pause
set /p answer=Press 1 to Enter Flash Menu or 2 to return to Main Menu:
if %answer%==1 goto FLASH
if %answer%==2 goto MENU

:BOOTLOADER
cls
adb reboot bootloader
pause
cls
echo =====================================================
fastboot devices
echo =====================================================
echo Is your device listed above?
echo =====================================================
set /p answer=Press 1 for yes or 2 for no or 3 for Help:
if %answer%==1 goto FLASH
if %answer%==2 goto BOOTLOADER
if %answer%==3 goto HELP

:FLASH
cls
echo How would you like to flash your boot today? Do you want to include:
echo ====================================================================
echo 1. TopJohnWu's Magisk
echo 2. HuskyDG's Magisk Delta
echo 3. Revert Back To Stock Boot Image
echo 4. Reboot Shield to System
echo 5. Return to Main Menu
echo ====================================
set /p answer=Select a number and press enter:
if %answer%==1 goto MAGISK
if %answer%==2 goto DELTA
if %answer%==3 goto STOCK
if %answer%==4 goto REBOOT
if %answer%==5 goto MENU                                                                                    

:MAGISK
cls
fastboot erase boot
fastboot flash boot bootmod1.img
fastboot reboot
echo =====================================
echo Wait for your Shield to fully Reboot.
echo =====================================
pause
adb install magisk.apk
goto MENU

:DELTA
cls
fastboot erase boot
fastboot flash boot bootmod2.img
fastboot reboot
echo =====================================
echo Wait for your Shield to fully Reboot.
echo =====================================
pause
adb install delta.apk
goto MENU

:STOCK
cls
fastboot erase boot
fastboot flash boot boot.img
echo ================================================================================
echo REMEMBER TO LOCK YOUR BOOTLOADER FOR AI UPSCALING AND DOLBY VISION FUNCTIONALITY
echo ================================================================================
echo 1. Reboot Shield to the System
echo 2. Return to Main Menu
echo =========================
set /p answer=Enter your selection:
if %answer%==1 goto REBOOT
if %answer%==2 goto MENU

:REBOOT
fastboot reboot
goto MENU

:EXIT
exit /b
    Here are the sources for the Magisk apk's and their respective projects, used in making the boot mods.

    Topjohnwu's Magisk APK Direct Download Link (v25.2):

    Github Project Page:

    GitHub - topjohnwu/Magisk: The Magic Mask for Android

    The Magic Mask for Android. Contribute to...
    github.com github.com

    HuskyDG's Forked version of Magisk "Delta" Direct Download Link:

    Github Project Page:

    GitHub - HuskyDG/magisk-files

    Contribute to HuskyDG/magisk-files development...
    github.com github.com

    All original boot images come from NVIDIA's Gameworks:

    Gameworks Download Center

    Get the latest Gameworks software for your...
    developer.nvidia.com developer.nvidia.com
    SPECIAL THANKS TO OUR FRIENDS IN THE XDA COMMUNITY <333
    Thank you to @topjohnwu for making Magisk
    @huskydg For making the forked magisk with magiskhide enabled and other features
    @nooted1 for teaching us about the magisk variant "delta" that has magiskhide still configured inside the apk
    @ajolly for their efforts in educating us about safetynet modules that can be used within magisk
    @louforgiveno for their efforts in reverse engineering apks, determining that it would be better to clear data in the google playstore instead of cache, and providing excellent feedback on pretty much every step of the way.
    @abc1054 for testing the ai upscaler and teaching me how to even use the silly thing.
    @Zer0_rulz for testing the upscaler and teaching us about link2sd and providing a useful idea for studies, to "freeze apps" as opposed to straight deletion in tests. I will use both methods in the future!
    @pinvok3 for their script they made to teach us how to more efficiently locate the apps tied to the ai upscaler and determining the "tvsettings.apk" to potentially be culpable in jailing our upscaler. They also taught me about the dolby vision feature on the shield
    @Renate for allowing me to bother her in the AVB thread while I try to learn how to talk to people like her. haha
    @Manzing for stepping up and being the hero we needed for the 2017 shield community! They were able to locate the correct pathing for the OTA Firmware as well as provide us the stock 9.1 boot and complete OTA!!
    @I_did_it_just_tmrrow For taking the time to verify magisk is able to indeed patch the 2015 version of the Shield HERE and more so they explained the boot images provided on gameworks for the 2015 version have the same hash, therefore a patched boot will work on both the 16gb and 500gb models. Thank you!

    AI UPSCALER FIX:
    THERE'S SOME TROUBLE WITH THE UPSCALER STILL, THE COMMUNITY IS WORKING TOGETHER IN THE COMMENTS BELOW
    Please note that patching the boot with Magisk causes problems like the AI upscaler and Dolby vision being unavailable. You may want to wait for updates unless you have a reason to root with stock but otherwise feel free to join us in troubleshooting!

    NOTE THAT THIS METHOD REQUIRES A FIX SO ONE COULD RUN ADB AS ROOT OUTSIDE OF THE SHELL. (adb shell su works, but not adb root outside of shell) Trying to mod this binary. Bare with me
    View
    3
    jenneh
    jenneh
    I wanted to share something I discovered today that I didn't know about before and this deals with TWRP.

    Today I rewrote a GUIDE going over how to install Lineage OS on the shield.

    I noticed that TWRP when opened will then establish a root shell with the device named RECOVERY
    2.png

    So I adb shell ls and noticed that the contents /are not/ the same as what we see in a regular adb shell or in root exploring apps.
    1.PNG
    In fact, the view we are used to seeing is referred to as "system_root" as listed above. If you were to ls that, you would see your traditional filesystem layout.

    So therefore I was not seeing the full picture before... There's files here I pulled that I hadn't read before, I have to sort between the leftover lineage garbage and what not but I will share the native file dump later.

    This also makes me wonder if I was trying to flash the "roms" wrong for this device. Maybe a new approach would be to make a modified and preinstalled system_root that could be adb pushed.

    Not sure just wanted to share

    --edit have to select the MOUNT option in TWRP and then system + vendor to see the full picture, otherwise a lot of empty folders
    View
    3
    P
    pinvok3
    I'm using 8.2.3. The newer 9 versions seem kind of sluggish. But the script should work on 9 regardless.

    Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
    Click to expand...
    Click to collapse
    Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this. :D

    Jtag is usually lower level stuff and I'm pretty sure it's undocumented. If it exists even.
    I just remember, that on a previous phone (Sony Xperia) the drm keys were wiped once you unlock the bootloader, resulting in worse Camera image quality.

    Considering that the upscale works correctly after unroot/relocking, I guess this would only be a soft lock. But still could be registered in the hardware somewhere, where we have no access to. Maybe it's still patchable though.
    View
    3
    jenneh
    jenneh
    @pinvok3 Gosh WOW just wow! Thank You for your Amazing Share!! I will absolutely follow your advice and I will get that app pulled now to poke around.

    Are you rolling 8.2.3 or one of the 9's btw??

    Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
    View
    3
    P
    pinvok3
    Okay, I'm grasping straws right now, but my shield just crashed after I have started a movie with Dolby Vision enabled. Can someone confirm if Dolby Vision is grayed out (unavailable) on rooted devices but available on nonrooted ones? After this fix I was able to enable Dolby Vision but my system just died with this log:

    12-20 23:12:18.951 3725 3839 E WindowManager: Exception checking for game stream. Exception: android.content.pm.PackageManager$NameNotFoundException: ComponentInfo{com.android.tv.settings/.MainSettings}
    12-20 23:12:18.951 3725 3839 I InputDispatcher: Dropped event because of pending overdue app switch.
    12-20 23:12:18.953 3725 3864 E AudioService: Audioserver died.
    12-20 23:12:18.982 4578 5347 D DolbyAudioService: IMs12 implementation died... Restoring settings after restart
    12-20 23:12:18.983 4578 5347 D DolbyAudioService: Attempting to connect to IMs12
    12-20 23:12:18.992 4578 12382 I DolbyAudioService: Waiting 1 second before attempting to connect to IMs12...
    12-20 23:12:19.037 12385 12385 D audiohalservicemsd: main() Starting [email protected] from vendor/dolby.
    12-20 23:12:19.050 12385 12385 D : Calling decrypt_blob. err(0)
    12-20 23:12:19.056 3432 3432 E Ipprotectd: decrypt_blob: Error during launch operation. err(0xffff0011)
    12-20 23:12:19.056 3432 3432 E Ipprotectd: Error occurred at decryption. err(ffff0011)
    12-20 23:12:19.058 12385 12385 E : Decryption failed
    12-20 23:12:19.058 12385 12385 E : decrypt_blob failed! err(0)
    12-20 23:12:19.058 12385 12385 E : Failed to decrypt.
    12-20 23:12:19.058 12385 12385 E : Failed decrypt .text section.
    12-20 23:12:19.059 12385 12385 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x4ec98e90 in tid 12385 (android.hardwar), pid 12385 (android.hardwar)
    12-20 23:12:19.062 12384 12384 I ServiceManagement: Removing namespace from process name [email protected] to [email protected].
    Click to expand...
    Click to collapse

    It seems like some encrypted communication fails which takes the whole system with it. It makes me more suspicious that the bootloader unlock removes/hides/blocks some DRM keys required for AI/Dolby Audio to work. If we could somehow hook into the bootloader unlocking phase to see what's happening ..
    View

New posts