[PATCHED BOOT.IMGs] Achieve Root on STOCK Firmware and Keep Stock APPs (2017 & 2019)

Search This thread
Hello Friends~!

We now have a working method to achieve ROOT on STOCK Firmware!
HOW TO ROOT:
If you are already running the STOCK firmware version you want to ROOT, Skip to step 2.
(For instance If you are running stock 9.1 or 9.1.1 already, skip to step 2)

STEP 1:
Select a STOCK firmware from this THREAD, and fully install it.

STEP 2:
Download the BOOT MOD that correlates to your installed STOCK firmware.
If you want to build your own "Boot Mod" the instructions are HERE
Special Thanks to @Manzing for obtaining the 9.1 and 9.1.1 images for us
If you want me to add more, let me know.
STEP 3:
Boot your shield into the Bootloader menu. Requires an unlocked bootloader See the PREREQUISITES section in this THREAD for how to do so. Unlocking your bootloader WILL erase your data

STEP 4:
Run .bootmod.bat - this will go through and erase the old boot.img partition, flash the new one, and reboot for us.
Code for reference:
Code:
fastboot erase boot
fastboot flash boot bootmod.img
fastboot reboot

STEP 5:
Download Magisk Delta HERE and name it simply "delta" if you plan to use ADB to install MIRROR

STEP 6:
Install Magisk Delta either through adb (Or install using a usb drive, network drive, or file sharing app.):
Code:
adb install delta.apk

Magisk Delta is located in Settings on the shield, apps > system apps.

Now Opening Magisk Delta will trigger this alert:
MAGISK APKINSTALL.jpg


STEP 7:
Open Magisk Delta and hit the settings button at the top right
1669805539433.png


Enable ZYGISK:
zygisk.jpg

Reboot Once Again and you will Now have root!

PLAYSTORE FIX IF YOUR PLAYSTORE IS MISSING APPS

STEP 1:
Download the safetynet module HERE and name it safety. MIRROR
Do whatever you have to, to get the module to your download folder.
If using adb:
Code:
adb push safety.zip /sdcard/Download

STEP 2:
Open Magisk and select the Modules button at the bottom right. The puzzle piece!
Select add a install from storage, navigate to Download, and install safety.zip, then reboot.
2.jpg

STEP 3:
MAGISK HIDE SETTINGS-
In magisk, under Settings, enable MagiskHide. Now select Configure MagiskHide
4.jpg

Click to show system apps
5.jpg

Then check all the settings for Google Services Framework
3.jpg

Then check everything under Google Play Services EXCEPT GMS <3 Thank You Noot Noot~!
1.jpg

Now go into the SHIELD'S Settings > APPS > and force stop and Clear Data for Google Play Services, Google Services Framework, and the Google Play Store. Reboot.
6.jpg

You will now have Root and still be able to use apps and features that you shouldn't be able to thanks to the safetynet bypass and magiskhide settings. Normally with root we cannot install Disney +, but as you see, we Sure Can Now~! ;-)

Remember that you can turn the safetynet module off, which may be needed to do so you can run adb as root or perform other root operations

THIS METHOD REQUIRES A FIX SO ONE COULD RUN ADB AS ROOT, I AM WORKING ON THAT FIX NOW. FOR THOSE THAT NEED <---Probably just me! =]
SPECIAL THANKS TO OUR FRIENDS IN THE XDA COMMUNITY <333
@nooted1 for teaching us about the magisk variant "delta" that has magiskhide still configured inside the apk
@ajolly for their efforts in educating us about safetynet modules that can be used within magisk
@louforgiveno for their efforts in reverse engineering apks, determining that it would be better to clear data in the google playstore instead of cache, and providing excellent feedback on pretty much every step of the way.
@abc1054 for testing the ai upscaler and teaching me how to even use the silly thing.
@Zer0_rulz for testing the upscaler and teaching us about link2sd and providing a useful idea for studies, to "freeze apps" as opposed to straight deletion in tests. I will use both methods in the future!
@pinvok3 for their script they made to teach us how to more efficiently locate the apps tied to the ai upscaler and determining the "tvsettings.apk" to potentially be culpable in jailing our upscaler. They also taught me about the dolby vision feature on the shield
@Renate for allowing me to bother her in the AVB thread while I try to learn how to talk to people like her. haha
@Manzing for stepping up and being the hero we needed for the 2017 shield community! They were able to locate the correct pathing for the OTA Firmware as well as provide us the stock 9.1 boot and complete OTA!!
AI UPSCALER FIX:
THERE'S SOME TROUBLE WITH THE UPSCALER STILL, THE COMMUNITY IS WORKING TOGETHER IN THE COMMENTS BELOW

Please note that this only helps you to patch your boot Easier but this does cause problems as ADB cannot be run as root and the upscaler and Dolby vision have trouble. You may want to wait for updates unless you have a reason to root with stock but otherwise feel free to join us in troubleshooting!
 
Last edited:

louforgiveno

Senior Member
Jun 24, 2010
3,816
2,456
This is great news for the Shield...the ai upscaling not working was the main reason i haven't rooted yet. Thank you for your time and efforts getting this together!
Bravo!
 
  • Like
Reactions: tnomtlaw and jenneh
@louforgiveno it's only thanks to the Community haha. I was trying to do things in a much more complicated way and thanks to nooted and renate I understand that there is no need to reinvent the wheel and we can use the tools already made. (magisk + safetynet modules shared by ajolly) [still going to do complicated things tho.. got my uart serial adapter in today. idk how to use it but will find out and or bother renate till she blocks me :D]

This guide is a good reference to bypassing safetynet
--edit now after rewatching the video a few times I understand what nooted is talking about when they say this
" The Magisk Hide settings need to be set such that everything under Google Play Services is toggled on EXCEPT FOR the GMS one at the top. Also, toggle it on for Google Services Framework."

Thank you again sosososo much @nooted1 I feel so stupid I didn't realize what magisk actually is, or does. You are the reason I learned how to select the boot.img in magisk and tell it to patch it so I can share a modded image. Now I am like a million percent certain we can do something with the system and then we would have a rom after a little customizations!
 
Last edited:
  • Like
Reactions: louforgiveno
@louforgiveno 100 Percent Confirmed! Disney + is in the playstore and the ai upscaling is functional without having to relock the boot loader, YAY! Haha. The guide has been updated with the steps. It was super easy thankfully

Now I am going to learn how to get the system pulled with all of this preinstalled so we never have to do this mess. again Idk how or how long it will take but it will happen. At least folks can use this for now
 
  • Like
Reactions: louforgiveno

louforgiveno

Senior Member
Jun 24, 2010
3,816
2,456
@louforgiveno 100 Percent Confirmed! Disney + is in the playstore and the ai upscaling is functional without having to relock the boot loader, YAY! Haha. The guide has been updated with the steps. It was super easy thankfully

Now I am going to learn how to get the system pulled with all of this preinstalled so we never have to do this mess. again Idk how or how long it will take but it will happen. At least folks can use this for now
Nice, that's great news! I'm gonna dig into this over the weekend 😁
 
  • Love
Reactions: jenneh
HOW TO BUILD YOUR OWN "BOOT MOD":
For anyone who wanted to know how I made the boot mods I shared, so you can make it yourself if you want.

You can take the boot.img provided to us from NVIDIA and push it to your sd card.
Code:
adb push boot.img /sdcard/Download

Then use magisk to patch the image. I didn't know what this option Meant until yesterday. Haha

YOU HAVE TO DO THIS ON THE SHIELD. AN EMULATOR WILL NOT WORK; This example uses nox because I didn't feel like recording my TV


Magisk will tell you at the end what it named the file, then you could pull the image, rename it to whatever you like, and share it. (for instance i named mine bootmod.img with a batch to erase and reflash the partition)

This should work for other devices. So that's how you patch a boot now a days I guess? Idk it's how I did it

More documentation on things we can do while modding the boot:

Modding the adbd- a work in progress:

A Sidenote. Something funny I discovered. DON'T Do this haha.

IDK why it is but, if you push the build.prop from the ROOT 8.2.3 to the stock version, it crashed it in an interesting way. After reseting, the shield would post to the nvidia logo, make it to the google logo, crash, reboot to nvidia logo then android literally died. Haha.
IMG_20221201_025842.jpg


Whereas, if you sent the STOCK build.prop to the ROOT system, it would not crash, and would instead allow you to do some things you normally couldn't, like download the 9.1 OTA package
 
Last edited:
  • Like
Reactions: louforgiveno

ajolly

Senior Member
Aug 24, 2006
78
14
OnePlus 9 Pro
Fantastic, glad it worked out. Thanks for testing it!
I mostlly want to go run cf.lumen on my shield to help with sleep.


Btw, I suspect patching the boot.img will work on any device with the same architecture - ie your phoe.
 
  • Love
Reactions: jenneh
Btw, I suspect patching the boot.img will work on any device with the same architecture - ie your phoe.
And probably QEMU the arm architecture version too! <--Idk how to use the arm qemu yet but I have some videos stored away and some ambitions to build a proper android vm that is arm based and open source, and wont plant crap all over your drive! lol.
this man is a god send but that would be more so if you wanted to do a one for one of a dump. Mine would be based off aosp
 

ajolly

Senior Member
Aug 24, 2006
78
14
OnePlus 9 Pro
And probably QEMU the arm architecture version too! <--Idk how to use the arm qemu yet but I have some videos stored away and some ambitions to build a proper android vm that is arm based and open source, and wont plant crap all over your drive! lol.
this man is a god send
Why do you want that? You’d end up converting arm code to run on x86, way more efficent to just run an x86 version.

But if you really want, its possible - https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html
 
  • Like
Reactions: jenneh
  • Like
Reactions: ajolly

ajolly

Senior Member
Aug 24, 2006
78
14
OnePlus 9 Pro
I want to do it to know how to, haha. not really for anything practical right now, just for practice. and Thank You so much!!
i have not extensively tested it, but it seems like windows subsystem for android (on windows 11) includes an arm emulation layer. Overall its one of the nicest android emulation experiences, at the downside of not supporting all functionality properly - like notifications.
 
  • Like
Reactions: jenneh
The rooting worked good, but ai upscaling does not work, I have tried your instructions. When I went to test out a video , it would only put it to basic not al-upscaling. I put it to enhance it says yes. But it's same as basic, no change in inhanced. And no to ai-enhanced. I did all the instructions that was given on this site. So I put back my Nvidia shield tv pro back to 9.1.1. thanks for all your hard work. ,🙂. Hope someone figure it out for Ai-enhanced.
 
The rooting worked good, but ai upscaling does not work, I have tried your instructions. When I went to test out a video , it would only put it to basic not al-upscaling. I put it to enhance it says yes. But it's same as basic, no change in inhanced. And no to ai-enhanced. I did all the instructions that was given on this site. So I put back my Nvidia shield tv pro back to 9.1.1. thanks for all your hard work. ,🙂. Hope someone figure it out for Ai-enhanced.
Your message you mailed said you used 480 p video so no that would not work. I tried the same thing with little house on the prairies and then read an article that said to use 720p or 1080p
 
Last edited:
I reinstall the Nvidia shield tv pro 9.1.1 and rooted it, everything works but the ai upscaling, and time before I installed 8.2.3. Even checked the safetynet and was all good. So I don't get why Ai upscaling don't work. Did everything in this forum. I'm confused, if someone ever tested it, with upscaling.. it does not work. Sorry. Test it twice now. No go. Video on 720p and 1080p. Thanks again.
 

Zer0_rulz

Senior Member
Dec 22, 2014
86
21
Clean installed 9.0 then manually updated 9.1.1, then did the instruction here, and got this result
 

Attachments

  • 20221214_201627.jpg
    20221214_201627.jpg
    6.8 MB · Views: 82

Top Liked Posts

  • 1
    Thanks to our friend @Manzing we now have patched bootmods for the 2017 version of the shield. They got us both the 9.1 and 9.1.1! Both images have been added to the thread. Again thank you Manzing for taking the time!
  • 1
    Hi, thanks @jenneh for your tutorial. I just got a 2017 Shield TV and flashed 8.2.3 stock version, then successfully rooted it with your instructions.
    I just cannot install safety net package in Magisk as I am unable to select the file, I can't understand why. Using remote or controller, no way to move selection in any folder... only an empty "recent files" screen is displayed.
    Is there any other way to do it ? Don't really want to install TWRP for it.
    I managed to dump the OTA file, it should be 9.1 version as displayed on ATV.

    In my case it was located in /data/data/com.nvidia.ota/app_download/ (for 8.2.3 version)
    With 9.1+ version, OTA package is located in /data/ota_package

    Do you want the untouched boot.img ?

    I can upload it somewhere if you like.
    1
    Hi, thanks @jenneh
    I just cannot install safety net package in Magisk as I am unable to select the file, I can't understand why. Using remote or controller, no way to move selection in any folder... only an empty "recent files" screen is displayed.
    Is there any other way to do it ?
    For me personally I always had to use a mouse to be able to select the correct downloads folder. It's inconvenient but it is the only way I know of. (Plug in mouse, go to the menu on the left and somewhere in there you click on Download folder and you can access and install your modules.. idk what it is with magisk going to a different dl folder?)

    I would absolutely love a copy of the 9.1 I really appreciate your time! You are amazing :DDDD

    PS Thank You for Providing us the Pathing for the OTA on the 2017 that is so helpful;
    1
    For me personally I always had to use a mouse to be able to select the correct downloads folder. It's inconvenient but it is the only way I know of. (Plug in mouse, go to the menu on the left and somewhere in there you click on Download folder and you can access and install your modules.. idk what it is with magisk going to a different dl folder?)

    I would absolutely love a copy of the 9.1 I really appreciate your time! You are amazing :DDDD

    PS Thank You for Providing us the Pathing for the OTA on the 2017 that is so helpful;

    Thanks, I solved my issue with the following adb command :
    Code:
    adb shell pm uninstall -k --user 0 com.android.documentsui
    It removed the android's stock file app and then Magisk asked for another file manager to load the file.
    With a decent file manager it is much better :)

    I sent you a MP with a link for 9.1 boot.img.
    1
    Thanks to our friend @Manzing we now have patched bootmods for the 2017 version of the shield. They got us both the 9.1 and 9.1.1! Both images have been added to the thread. Again thank you Manzing for taking the time!
  • 6
    Hello Friends~!

    We now have a working method to achieve ROOT on STOCK Firmware!
    HOW TO ROOT:
    If you are already running the STOCK firmware version you want to ROOT, Skip to step 2.
    (For instance If you are running stock 9.1 or 9.1.1 already, skip to step 2)

    STEP 1:
    Select a STOCK firmware from this THREAD, and fully install it.

    STEP 2:
    Download the BOOT MOD that correlates to your installed STOCK firmware.
    If you want to build your own "Boot Mod" the instructions are HERE
    Special Thanks to @Manzing for obtaining the 9.1 and 9.1.1 images for us
    If you want me to add more, let me know.
    STEP 3:
    Boot your shield into the Bootloader menu. Requires an unlocked bootloader See the PREREQUISITES section in this THREAD for how to do so. Unlocking your bootloader WILL erase your data

    STEP 4:
    Run .bootmod.bat - this will go through and erase the old boot.img partition, flash the new one, and reboot for us.
    Code for reference:
    Code:
    fastboot erase boot
    fastboot flash boot bootmod.img
    fastboot reboot

    STEP 5:
    Download Magisk Delta HERE and name it simply "delta" if you plan to use ADB to install MIRROR

    STEP 6:
    Install Magisk Delta either through adb (Or install using a usb drive, network drive, or file sharing app.):
    Code:
    adb install delta.apk

    Magisk Delta is located in Settings on the shield, apps > system apps.

    Now Opening Magisk Delta will trigger this alert:
    MAGISK APKINSTALL.jpg


    STEP 7:
    Open Magisk Delta and hit the settings button at the top right
    1669805539433.png


    Enable ZYGISK:
    zygisk.jpg

    Reboot Once Again and you will Now have root!

    PLAYSTORE FIX IF YOUR PLAYSTORE IS MISSING APPS

    STEP 1:
    Download the safetynet module HERE and name it safety. MIRROR
    Do whatever you have to, to get the module to your download folder.
    If using adb:
    Code:
    adb push safety.zip /sdcard/Download

    STEP 2:
    Open Magisk and select the Modules button at the bottom right. The puzzle piece!
    Select add a install from storage, navigate to Download, and install safety.zip, then reboot.
    2.jpg

    STEP 3:
    MAGISK HIDE SETTINGS-
    In magisk, under Settings, enable MagiskHide. Now select Configure MagiskHide
    4.jpg

    Click to show system apps
    5.jpg

    Then check all the settings for Google Services Framework
    3.jpg

    Then check everything under Google Play Services EXCEPT GMS <3 Thank You Noot Noot~!
    1.jpg

    Now go into the SHIELD'S Settings > APPS > and force stop and Clear Data for Google Play Services, Google Services Framework, and the Google Play Store. Reboot.
    6.jpg

    You will now have Root and still be able to use apps and features that you shouldn't be able to thanks to the safetynet bypass and magiskhide settings. Normally with root we cannot install Disney +, but as you see, we Sure Can Now~! ;-)

    Remember that you can turn the safetynet module off, which may be needed to do so you can run adb as root or perform other root operations

    THIS METHOD REQUIRES A FIX SO ONE COULD RUN ADB AS ROOT, I AM WORKING ON THAT FIX NOW. FOR THOSE THAT NEED <---Probably just me! =]
    SPECIAL THANKS TO OUR FRIENDS IN THE XDA COMMUNITY <333
    @nooted1 for teaching us about the magisk variant "delta" that has magiskhide still configured inside the apk
    @ajolly for their efforts in educating us about safetynet modules that can be used within magisk
    @louforgiveno for their efforts in reverse engineering apks, determining that it would be better to clear data in the google playstore instead of cache, and providing excellent feedback on pretty much every step of the way.
    @abc1054 for testing the ai upscaler and teaching me how to even use the silly thing.
    @Zer0_rulz for testing the upscaler and teaching us about link2sd and providing a useful idea for studies, to "freeze apps" as opposed to straight deletion in tests. I will use both methods in the future!
    @pinvok3 for their script they made to teach us how to more efficiently locate the apps tied to the ai upscaler and determining the "tvsettings.apk" to potentially be culpable in jailing our upscaler. They also taught me about the dolby vision feature on the shield
    @Renate for allowing me to bother her in the AVB thread while I try to learn how to talk to people like her. haha
    @Manzing for stepping up and being the hero we needed for the 2017 shield community! They were able to locate the correct pathing for the OTA Firmware as well as provide us the stock 9.1 boot and complete OTA!!
    AI UPSCALER FIX:
    THERE'S SOME TROUBLE WITH THE UPSCALER STILL, THE COMMUNITY IS WORKING TOGETHER IN THE COMMENTS BELOW

    Please note that this only helps you to patch your boot Easier but this does cause problems as ADB cannot be run as root and the upscaler and Dolby vision have trouble. You may want to wait for updates unless you have a reason to root with stock but otherwise feel free to join us in troubleshooting!
    3
    I wanted to share something I discovered today that I didn't know about before and this deals with TWRP.

    Today I rewrote a GUIDE going over how to install Lineage OS on the shield.

    I noticed that TWRP when opened will then establish a root shell with the device named RECOVERY
    2.png

    So I adb shell ls and noticed that the contents /are not/ the same as what we see in a regular adb shell or in root exploring apps.
    1.PNG
    In fact, the view we are used to seeing is referred to as "system_root" as listed above. If you were to ls that, you would see your traditional filesystem layout.

    So therefore I was not seeing the full picture before... There's files here I pulled that I hadn't read before, I have to sort between the leftover lineage garbage and what not but I will share the native file dump later.

    This also makes me wonder if I was trying to flash the "roms" wrong for this device. Maybe a new approach would be to make a modified and preinstalled system_root that could be adb pushed.

    Not sure just wanted to share

    --edit have to select the MOUNT option in TWRP and then system + vendor to see the full picture, otherwise a lot of empty folders
    3
    I'm using 8.2.3. The newer 9 versions seem kind of sluggish. But the script should work on 9 regardless.

    Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
    Sorry I have no idea. I've never worked on Android before and I've spent like 30 minutes on this. :D

    Jtag is usually lower level stuff and I'm pretty sure it's undocumented. If it exists even.
    I just remember, that on a previous phone (Sony Xperia) the drm keys were wiped once you unlock the bootloader, resulting in worse Camera image quality.

    Considering that the upscale works correctly after unroot/relocking, I guess this would only be a soft lock. But still could be registered in the hardware somewhere, where we have no access to. Maybe it's still patchable though.
    3
    @pinvok3 Gosh WOW just wow! Thank You for your Amazing Share!! I will absolutely follow your advice and I will get that app pulled now to poke around.

    Are you rolling 8.2.3 or one of the 9's btw??

    Lastly "Or we lost some kind of DRM keys during the boot unlocking phase." Is this something we can obtain with a serial UART or JTAG adapter? I just got mine in and am not afraid to break the shield open here in a few days if there's something that could be obtained and shared there. I am new to all this so I appreciate everyone sharing the things
    3
    Okay, I'm grasping straws right now, but my shield just crashed after I have started a movie with Dolby Vision enabled. Can someone confirm if Dolby Vision is grayed out (unavailable) on rooted devices but available on nonrooted ones? After this fix I was able to enable Dolby Vision but my system just died with this log:

    12-20 23:12:18.951 3725 3839 E WindowManager: Exception checking for game stream. Exception: android.content.pm.PackageManager$NameNotFoundException: ComponentInfo{com.android.tv.settings/.MainSettings}
    12-20 23:12:18.951 3725 3839 I InputDispatcher: Dropped event because of pending overdue app switch.
    12-20 23:12:18.953 3725 3864 E AudioService: Audioserver died.
    12-20 23:12:18.982 4578 5347 D DolbyAudioService: IMs12 implementation died... Restoring settings after restart
    12-20 23:12:18.983 4578 5347 D DolbyAudioService: Attempting to connect to IMs12
    12-20 23:12:18.992 4578 12382 I DolbyAudioService: Waiting 1 second before attempting to connect to IMs12...
    12-20 23:12:19.037 12385 12385 D audiohalservicemsd: main() Starting [email protected] from vendor/dolby.
    12-20 23:12:19.050 12385 12385 D : Calling decrypt_blob. err(0)
    12-20 23:12:19.056 3432 3432 E Ipprotectd: decrypt_blob: Error during launch operation. err(0xffff0011)
    12-20 23:12:19.056 3432 3432 E Ipprotectd: Error occurred at decryption. err(ffff0011)
    12-20 23:12:19.058 12385 12385 E : Decryption failed
    12-20 23:12:19.058 12385 12385 E : decrypt_blob failed! err(0)
    12-20 23:12:19.058 12385 12385 E : Failed to decrypt.
    12-20 23:12:19.058 12385 12385 E : Failed decrypt .text section.
    12-20 23:12:19.059 12385 12385 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x4ec98e90 in tid 12385 (android.hardwar), pid 12385 (android.hardwar)
    12-20 23:12:19.062 12384 12384 I ServiceManagement: Removing namespace from process name [email protected] to [email protected].

    It seems like some encrypted communication fails which takes the whole system with it. It makes me more suspicious that the bootloader unlock removes/hides/blocks some DRM keys required for AI/Dolby Audio to work. If we could somehow hook into the bootloader unlocking phase to see what's happening ..