Kill the kill switch - "ST - yy"

Search This thread

DragonBS

New member
Aug 31, 2015
1
0
0
my device has no system/app folder or I cannot seem to find it (using TWRP) can someone help me out? (I prefer to manually delete the file, thank you)
 

gerubu

New member
Oct 10, 2008
3
0
0
I have rooted my old shield and flashed the 3.1.1 full with cwm.
Then i flashed the nomoreota file through cwm.
Is this enough for stopping the kill switch at this moment?
And can i still use game streaming?
Sorry for my English ( i'm Dutch )
 

biffster

New member
Sep 15, 2011
3
2
0
All looks OK; Am I ready to power ON the replacement tablet and setup? Im thinking of a friend I can gift this to that would enjoy it as long as it stays usable. Thanks XDA

Be sure to warn your friend that the battery might start on fire randomly some day. The odds are low, of course, but they are high enough that nVidia decided to give everyone who has that battery a free tablet...
 
  • Like
Reactions: nbk1978 and Hellren
Oct 27, 2013
3
0
21
I have rooted my old shield and flashed the 3.1.1 full with cwm.
Then i flashed the nomoreota file through cwm.
Is this enough for stopping the kill switch at this moment?
And can i still use game streaming?
Sorry for my English ( i'm Dutch )

Looks like it is working. Enough time has passed folk to feedback, and there's not discernable chatter suggesting the mod doesn't work. GRID and game streaming still works here.
 

diafebus

Member
Jan 3, 2011
42
12
0
My nvidia shield wants the update "ST - yy" but I installed TWRP and removed the file from system>app OTA and it is still working!

Let's see how long it lasts! Is it safe to manually update to 3.1.1? I did the thing before this update was rolled out and obviously it didn't show up.

Thanks
 

half269

Senior Member
Feb 24, 2011
132
16
0
Poręba
Came new tablet

1) on the old Tablet ive I loaded "nv-recovery-image-shield-tablet-lte-row-update3_1_0"
2) then update to 3.1.1 gold
3) via adb ive loaded TWRP recovery
4) by TWRP loaded SuperSU v2.46
5) reset
6) installation from google play "quick boot"
7) by a quick restart to boot TWRP
8) installation nomoreota.zip

after these operations have enclosed new tablet, everything works
old tablet and new operating without problems:good:

sorry my english
 

topcat36

Senior Member
Jan 4, 2007
211
74
0
My nvidia shield wants the update "ST - yy" but I installed TWRP and removed the file from system>app OTA and it is still working!

Let's see how long it lasts! Is it safe to manually update to 3.1.1? I did the thing before this update was rolled out and obviously it didn't show up.

Thanks
Updating to 3.1.1 will restore the OTA file. Take care to remove the file immediately after the update and don't allow any connection to the internet before is removed.
 

TALOcommander

Member
Feb 12, 2011
7
2
0
Came new tablet

1) on the old Tablet ive I loaded "nv-recovery-image-shield-tablet-lte-row-update3_1_0"
2) then update to 3.1.1 gold
3) via adb ive loaded TWRP recovery
4) by TWRP loaded SuperSU v2.46
5) reset
6) installation from google play "quick boot"
7) by a quick restart to boot TWRP
8) installation nomoreota.zip

after these operations have enclosed new tablet, everything works
old tablet and new operating without problems:good:

sorry my english

so you don't flash nomoreota on new tablet? it's stock with no root?
 

Frankenscript

Senior Member
May 29, 2014
932
165
73
Indianapolis Metro
nomoreota installed only on the old tablet
I disagree. The LAST thing I want on any computer/phone/tablet is to have a way for the manufacturer or others to push updates at me that I can't refuse.

My new tablet works fine; I've run nomoreota on it so that nvidia can't shove something down my throat that changes that.

Nvidia can have their defective battery tab back... The value in nomoreota for me is knowing I can keep my new one the way it is and not worry about an OTA backdoor.

Sent from my SHIELD Tablet using Tapatalk
 

gotbass

Senior Member
May 30, 2012
83
9
0
Sorry this is going to be stupid question, havn't been on the android scene in a while.

I'm on stock, if i copy paste the attached zip to my mem card and boot up into recovery there should be an option to install the zip?

Thanks for your hard work =)
 

Rilen

Member
Aug 17, 2015
23
4
0
Just for letting you know

Inviato dal mio SHIELD Tablet utilizzando Tapatalk

---------- Post added at 20:49 ---------- Previous post was at 20:43 ----------

Double post sorry ...
I received on my old tab the St Yy upgrade.

Thank you bogdacu !!!!

Inviato dal mio SHIELD Tablet utilizzando Tapatalk
 

frenziedfemale

Senior Member
Aug 20, 2014
131
32
0
Sorry this is going to be stupid question, havn't been on the android scene in a while.

I'm on stock, if i copy paste the attached zip to my mem card and boot up into recovery there should be an option to install the zip?

Thanks for your hard work =)

If you have a custom recovery already, twrp or cwm. If not you need to either root and remove the files manually or install a custom recovery then install the zip through that

Sent from my Nexus 5 using Tapatalk
 

xavior00

Member
Jun 20, 2013
8
0
0
Rooting problem 3.1.1

hey guys,

I am having a stupid time trying to root my original tablet now on 3.1.1 with the stagefright update with kingroot 4.50 not working at all. It starts rooting and all of a sudden the app closes on me, upon reopening, continued for another few percent and fails. I have tried many times to get this to work but nothing. Have you guys had any luck? Am I using the right method to root the device? My other tablet before the new 3.1.1 update rooted no problem. Is rooting absolutely necessary in order to remove the OTA or can I boot into stock recovery and load from there?
 

Frankenscript

Senior Member
May 29, 2014
932
165
73
Indianapolis Metro
hey guys,

I am having a stupid time trying to root my original tablet now on 3.1.1 with the stagefright update with kingroot 4.50 not working at all. It starts rooting and all of a sudden the app closes on me, upon reopening, continued for another few percent and fails. I have tried many times to get this to work but nothing. Have you guys had any luck? Am I using the right method to root the device? My other tablet before the new 3.1.1 update rooted no problem. Is rooting absolutely necessary in order to remove the OTA or can I boot into stock recovery and load from there?

Just unlock the bootloader with the ADB/Fastboot tool (wipes device), install TWRP / SuperSU and move forward from there. This is a much better way to root than relying on some exploit that may or may not work reliably. See the Root thread.

Marc
 
Jun 11, 2012
17
0
0
Just a quick question: if I'll active airplane mode on the old tablet the kill switch will not become effective, is it right?

No one answer so I have to motivate better.
Consider the concrete possibility that NVIDIA has a database with the new tablet activation information and the relative check about the old tablet deactivation.
We don't know what NVIDIA will do in this new scenario where a lot of users continue to preserve the old tablet working.
For sure will be someone (stupid) in the world that will resell the defective one.
What NVIDIA will do if one of these old tablet will cause damage?
In a couple of weeks/months NVIDIA will face in some way with who did not respect the rules of the replacement: all the users that will have not the check in the database of the deactivation.

So, as you all, I'd like to keep the old tablet running (continuing to use without stress it), but for the moment I wanna wait.
At the same time I want to check if the new tablet has no defects.

Then, the answer is again: if I'll active airplane mode on the old tablet and I'll put it in the box turned off, the kill switch will not become effective, is it right? Everithing depends by a signal sent from remote with internet, is it correct?

Thanks for the attention.
 

Frankenscript

Senior Member
May 29, 2014
932
165
73
Indianapolis Metro
@mystreetspirit:

Yes, as Bogdacutu has said in this thread and I think some others, the old tablet needs an internet connection in order to receive the kill switch. They know when we activate the new one, they've got a database linking the new activation to the OLD tablet, and next time the OLD tablet runs the TegraOTA app it silently downloads the kill instructions, runs it, and kills the old tablet. Removing TegraOTA or simply putting a different ROM on the old tablet prevents it from looking for and receiving the kill instructions. I believe Bogdacutu said he didn't see an indication that they keep track of which OLD tablets actually download the kill instructions.

I remain a bit shocked at how many people want to keep and use the old tablets. I'd like to keep mine for parts, if not obligated to send it back, in case I screw up my screen or get case-cracks. I'm still evaluating the ethics on this before I make a final decision. But for gosh sakes, the early failure rate of the battery was enough for Nvidia to feel obligated to spend millions to replace every tablet out there... wow. Just because there are not a lot of reports of major problems (I've heard "4 out of 88,000"), these batteries go bad over time and that number will spike. I've factory reset my old one, let it drain to a safe ~5% battery, and shut it off. In all likelihood, being in the US, I'll eventually ship it back. It looks like the return box takes it to a place that will likely refurb it for resale. I don't think in the US they just go to a recycler for scrapping. I believe Nvidia wants to extract value out of it, and that's their right, and if so I feel ethically bound to give them my old one.

As to if someone sells it, laws vary from place to place but in the US I believe it to be illegal to sell something that's been recalled, and certainly you can't ship a known defective/recalled lithium battery without jumping through special hoops like Nvidia did. Anyone who sells one of these old units even with disclaimer that it's recalled is probably violating the law. I'm not a lawyer though, so I could be wrong. Certainly if a unit starts a fire, the seller would be in deep trouble.

The bigger problem is that all the defective units out there will drag down the resale price of GOOD units. A year from now I might want to sell my replacement unit, perfectly good with good battery, but buyers might be suspicious that it could be an old unit... this force will likely depress resale value of this model permanently.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 410
    < include generic disclaimer here >

    TL;DR

    Since update 3.1, Nvidia can force updates (such as the one that bricks your tablet) to be downloaded and installed silently. No guarantees, but:
    • If you're on stock, delete TegraOTA (/system/app/TegraOTA or /system/priv-app/TegraOTA if you're on 5.0 or newer, or /system/app/TegraOTA.apk if you're still on 4.4) before booting into Android (the attached ZIP file does this for you, but please check with the file manager in recovery before rebooting and let me know if it didn't work), then reboot
      Note: you also will need to delete TegraOTA again if you ever install an OTA from Nvidia or a recovery image
    • If you're not on stock, you're probably safe
    EDIT: The urgent OTA is currently not getting sent out to any devices anymore, not even to those who have been getting it before.
    EDIT 2: The urgent OTA is now being delivered again, this time named "ST - yy"!

    What if my tablet is already deactivated?

    Unless you can still boot into fastboot mode (in which case your tablet isn't really deactivated yet), your tablet is probably gone for good. The only way to fix this would be through nvflash, and using it requires the SBK that is unique to each device and that only Nvidia knows, so it's pretty unlikely that we'll ever be able to fix these deactivated tablets.

    What/why/how?

    In the last OTA (Update 3.1), Nvidia has made some changes to their TegraOTA application. The most important/interesting/suspicious of which is the ability for them to mark OTAs as "urgent". What this means is that these updates will be downloaded without ever notifying the user, and they will be installed without asking the user for permission first. If this is how the kill switch is delivered, all users will see is the tablet randomly rebooting and installing an update, then the tablet would never boot again. As some of you might notice, this would match what has been happening to a few users already, both here and on reddit.

    But that's not all. I've been connecting to the OTA servers using various serial numbers (both found and provided to me by a few people) in hopes of actually finding the update that bricks the device. The first serial number I've tried that wasn't mine was the serial number from the screenshot on the recall page. It revealed an interesting "urgent" OTA, named "SHIELD Tablet xx - LTE", which does nothing but flash a blob (which, among other things, contains the bootloader). Many more questions appear now, but the main one is: if this is nothing but a routine bootloader update, why is it marked urgent? And why is it not attached to any Android update? But this by itself is not enough to prove anything, as I could only obtain it with one serial number, so as far as I could have known, it might had just been an internal update or something similar. (update is linked and analysed in the second post below)

    Today, however, one of the serial numbers I've been given by some of the people here (thanks for the help guys!) turned out to have the same update waiting for it the next time it connected to the Internet. This rules out the possibility of an internal update, so the next somewhat obvious possibility is that this is the kill switch. Mind you, I still have no direct way of proving this without flashing the ZIP to see what happens (which I'm not planning to do myself), but I will keep checking on the other serial numbers I've gotten to see if this update turns up for them too.

    The same person who has given me this serial number has also tested running the old tablet on the latest stock Android version but with TegraOTA removed, and, as expected, the tablet is still working perfectly fine now. Your mileage may vary.

    How can I know if the kill switch has been triggered for my tablet?

    Go to http://shield.bogdacutu.me/ and enter the full serial number of your old tablet. If the next OTA returned is "SHIELD Tablet xx" "ST - yy", the kill switch has been triggered for your tablet.
    Warning: the serial number from the box of the tablet and the one etched on the side of the tablet are not complete, as they only contain the first 13 characters of the full (20 characters) serial number. You can get the full serial number from Android (Settings -> About -> Status), from the bootloader (it will be on the screen when you boot into bootloader mode), or from your computer if the tablet is or (in some cases) if it was previously connected, using various tools such as USBDeview. Example: 0413714803249000a4cf (you can try this on the page and it will return that the kill switch is activated).

    Why would I want to also do the fix on my new tablet too?

    The update is signed by Nvidia, and communication with the OTA server does not use HTTPS, so, for example, a malicious WiFi network could MITM your connection and cause this update (as well as any other signed update) to be flashed to your new tablet without your permission, thus permanently disabling it too. If you have the stock recovery, only updates signed by Nvidia can run. The story might be slightly different if your recovery doesn't enforce signature verification (such as TWRP and CWM by default).

    Can I still get updates from Nvidia after doing this?

    Not directly, but people will post OTA download links here on xda when new updates get released. I'd personally recommend that you wait before flashing though until someone here checks the new update to confirm that there's no new way for Nvidia to kill your tablet.


    Many hours of work have gone into investigating this. Even if it doesn't help your specific scenario, consider hitting that Thanks button, so that I can at least know it wasn't for nothing. :)
    I'd also like to thank the people who have given me their serial numbers to use for testing again, this wouldn't have been possible without their help: @Beauenheim, @Jackill, and @runandhide05 (who has even volunteered to test removing TegraOTA with the latest update on his old tablet :highfive:)
    19
    Fragments of code from TegraOTA.apk

    < screenshots temporarily removed >

    Also, from what I've seen so far, the update isn't delivered instantly after activating the new tablet. I don't know exactly what the rule is, but out of the 4 serial numbers that I have, only 2 have this update waiting for them.

    EDIT: One more serial number from the ones I have has gotten the xx update. Only one left...

    EDIT 2: All the serial numbers I have have the urgent OTA waiting for them now.
    18
    "SHIELD Tablet xx" - Update Analysis

    OTA URL: http://ota.nvidia.com/ota/data/post...wf-full_ota-32256_554.0168.20150624152335.zip
    yy OTA URL: http://ota.nvidia.com/ota/data/posted-roms/uploaded/st---yy--092704233775---7294.20150819152732.zip (if you don't know what you're doing, DO NOT DOWNLOAD THIS, it's very likely that this will permanently brick your device upon flashing it!!!) - also attached to this post in case this link becomes invalid

    updater-script is the first file we check:
    Code:
    getprop("ro.product.device") == "shieldtablet" || abort("This package is for \"shieldtablet\" devices; this is a \"" + getprop("ro.product.device") + "\".");
    nv_copy_blob_file("blob", "/staging");
    reboot_now("/dev/block/platform/sdhci-tegra.3/by-name/MSC", "");

    Suspiciously enough, this only flashes a blob to the staging partition. But what exactly does this blob do, you might ask? Well, the blob actually contains data for 9 partitions, which are automatically replaced during the next boot (before the bootloader does anything else at all, so once you've rebooted, there's no going back) with the contents present in this blob. The 9 partitions are as follows (also detailing comparison with files from update 3.1):

    • BCT (Boot Configuration Table) - stores some information that is needed for the device to find the bootloader stored on the other partitions, initialize the RAM and some other stuff
      Status after update: probably corrupted - the previous OTAs have binary BCTs, but this update replaces it with a text file (which, while it does contain somewhat relevant information, is likely not a valid format). If this is corrupted, it's enough for the device not to be able to boot anymore.
    • BMP (boot logo) - intact
    • DTB - intact
    • EBT (part of the bootloader) - has a zeroed out region
    • NVC (part of the bootloader) - intact
    • RBL (part of the bootloader) - has a zeroed out region
    • RP4 (landscape boot logo) - intact
    • TOS (Trusted OS - probably part of the bootloader too) - has a zeroed out region
    • WB0 (related to the boot process, source file is named "nvbootwb0.bin") - has a zeroed out region
    The update also contains a few other files, but those are not used at all (probably leftovers from the 5.1 AOSP update template that they are using).

    DO NOT DOWNLOAD THE ATTACHMENT IF YOU DON'T KNOW WHAT YOU'RE DOING. THIS IS THE XX OTA, NOT THE ZIP THAT REMOVES TEGRAOTA!
    10
    I don't mind the OTA app on my new tablet, but I don't like the ability to just download silent updates. That concerns me, especially considering legitimate tablets getting nuked.

    I made the attached Xposed module if you're running 5.1.1 that will disable the silent download method. It will also mark "urgent" updates as no longer urgent (thus they will show a notification instead). This means you can theoretically have the OTA app installed on your terminated tablet. But you will have a persistent notification for an OTA available. Screenshot of this on my terminated tablet is also attached (for fun, don't do it on yours, I can't/won't be responsible).

    So if you'd like the peace of mind of not having silent updates snuck past you even on your perfectly good tablet, install this Xposed module. I only tested on 5.1.1 by the way.

    Code:
    package biz.underpants_gnomes.android.xposed.mods.nvsilentupdatekiller;
    
    import android.content.Context;
    
    import java.lang.reflect.Array;
    
    import de.robv.android.xposed.IXposedHookLoadPackage;
    import de.robv.android.xposed.XC_MethodHook;
    import de.robv.android.xposed.XC_MethodReplacement;
    import de.robv.android.xposed.XposedBridge;
    import de.robv.android.xposed.XposedHelpers;
    import de.robv.android.xposed.callbacks.XC_LoadPackage;
    
    public class NVSilentUpdateKiller implements IXposedHookLoadPackage {
    
        @Override
        public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) {
            if (!lpparam.packageName.equals("com.nvidia.ota"))
                return;
    
            try {
                final Class<?> mClsRomInfo = XposedHelpers.findClass("com.nvidia.ota.utils.RomInfo", lpparam.classLoader);
                XposedHelpers.findAndHookMethod("com.nvidia.ota.UpdateCheckService", lpparam.classLoader, "silentDownloadUpdate",
                        Context.class, mClsRomInfo, XC_MethodReplacement.returnConstant(null));
    
                final Class mClsArrOfRomInfo = Array.newInstance(mClsRomInfo, 0).getClass();
                XposedHelpers.findAndHookMethod("com.nvidia.ota.utils.RomInfo.FetchInfoTask", lpparam.classLoader, "onPostExecute",
                        mClsArrOfRomInfo, new XC_MethodHook() {
    
                            @Override
                            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                                if ((param.args[0] == null) || (Array.getLength(param.args[0]) == 0)) { return; }
    
                                Object mRomInfo = Array.get(param.args[0], 0);
                                XposedHelpers.setBooleanField(mRomInfo, "urgent", false);
                            }
                        });
            } catch (Throwable t) { XposedBridge.log(t); }
        }
    }
    8
    Got The Urgent one of my my Tablets

    First of all, would like to thank Bogdacutu for all the research and work done.:good::good::good: Never rooted or flashed anything Android, the last experience I had with any type of root/jailbreak was with an Iphone 4 - redsn0w (no longer an Apple user). Anyway, I have 2 Shield Tablets, so did the whole recall process, got my replacements in the mail and left them untouched. I'm not anywhere near developer or programmer level, but I can work my way around PC's (built 5 desktops), but figured someone would figure out how to bypass this killswitch. Honestly I've had my original tablets since last November, and never really had a problem of them getting super hot, so definitely did not want to send these back. Followed Bogdacutu's instructions and with some simple research (Not asking on this thread) I first had to root, flash TWRP, flash 3.1 OTA, then flash nomoreota.zip to remove the TegraOTA folder and TegraOTA.apk, and today, via Bogdacutu's link, noticed one of them is pending the "Urgent update of Death!" So. out of curiosity..just restarted the tablet with the killswitch and booted up fine. :victory:. Been reading this thread since it was only 1 page and haven't really found stating if this actually worked after following Bogdacutu's instructions and then activating the new tablet. Well, so far my tablet restarted and all is well, i'll try again and restart tomorrow to see what happens. And guys, stop asking Bogdacutu how to root, flash, etc. Youtube is an amazing thing nowadays. Follow these links for those instructions and lets keep focused on results! Again, thank you Bogdacutu. Here's youtube links to root, flash, etc. and of course DON'T forget to flash nomoreota.zip (download link via OP) , literally this is all you need.

    https://www.youtube.com/watch?v=Ocar8LJZlt0
    https://www.youtube.com/watch?v=5BZGleRdqPk

    3.1 OTA, click on Download>OTA>Full, pick your model ...
    http://forum.xda-developers.com/shi...k-recovery-images-ota-library-guides-t2988881
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone