Rooting a new Android set top box: LGE SH960S-AT (Airtel Internet Tv Set top box)

avisekjena

Member
Oct 25, 2014
17
7
3
Hi All,

How can I root a stb, running Android 6.0.1 with no access to bootloader.
I have access to recovery, but it accepts only vendor encrypted/signed update files.
Adb via usb is not available, but can connect using wifi/lan when OS has booted.
Have already tried most one-click apps.

Any crazy idea/help/suggestion is appreciated.

People interested in details, can read the long story below.

The Amazon Prime app on the settop box lags a lot many a times while Netflix and Youtube work perfectly fine. So, I thought of diagnosing the problem using adb logact and found every few seconds, few frames are getting skipped. To analyze the problem further, isolate bandwidth/resources problems vs app problem, wanted to root the device.
This is the first time, I am trying to root a device for which no existing solution is available. I have been trying to root for two weeks now, but no luck. . While the Amazon prime was the reason for this voyage, rooting will open new avenues. :D

About the device:
⦁ Sold by Airtel India under brand name Internet TV (Not IPTV)
⦁ Manufactured by LG Electronics. Model: SH960S-AT
⦁ LG has published the opensource components used here.
⦁ More details about the hardware here.
⦁ Android Lollypop, upgraded to Marshmallow 6.0.1
⦁ With March 2018 Android Security Update

Here is what all I have tried so far:

ADB
⦁ Device does not detect when connected using USB Male to Male cable. So, no ADB USB.
⦁ However, I can connect ADB using Wifi. (adb connect IP).
⦁ To be sure of the IP, I have configured my Router DHCP to assign a specific IP to the MAC
⦁ I found in default.prop persist.sys.usb.config=none. My assumption, airtel has disabled adb via USB connection.

Bootloader
⦁ If I do a adb reboot bootloader, system restarts but gets stuck on the vendor logo.


⦁ In that state, I have tried many possible key combinations (power button on the box, several other buttons on the remote and usb keyboard), but it stays stuck there, until you pull the plug.
⦁ I have also tried many button combinations in power off state, no luck.
⦁ USB is still not recognized in this state, so no adb or fastboot.

Recovery
⦁ Doing adb reboot recovery restarts the system into the stock android recovery.
⦁ The same screen can be reached by following steps:
⦁ Unplug the box
⦁ Keep the power button pressed, plug in the device.

⦁ After the android logo comes, press Home from keyboard.

⦁ The following options are available:
Reboot to Bootloader: Same as above, gets stuck on vendor logo.
Apply update from Adb: Since usb connection/adb is not available, it just waits for a connection and times out. Adb using wifi/lan does not work. I assume, their drivers are not initialized in recovery.
Apply update from SD Card: I have copied the usual (su binary update.zip) to root of sd card. But it does not mount SD card properly. I have tried SD cards of different sizes, formats etc., no luck.


Apply update from USB: It was not recognized initially, but after going through recovery logs and trying several formats for the card, now it recognizes the card. I can select the zip file, but it shows Failed to map file. I assume it is not finding a vendor specific signature/encryption


One-click apps and other exploits
⦁ Have tried all the popular one-click apps, Kingroot, Framaroot, etc., no luck.
⦁ Have tried dirtycow exploit. But since the security update is March 2018, none of the known exploits work.
⦁ I am yet to find any POC for fixes in April 2018 or later android security updates.

Update service:
⦁ One system app called OtaDownloaderApp.apk is probably used by the vendor to push OTA updates.
⦁ Pulled the apk and disassembled it to find the url of the update file.
⦁ Downloaded it to understand the structure and explore any other possibility.
⦁ It does not seem like a normal .zip file and might be encrypted.
⦁ I tried the above file as Apply Update from USB from Recovery, it installed the updates

⦁ Now, could there be a way to decrypt/modify the update file to include su?

To add: Since the device is yet to be rooted, no way to extract the boot.img and patching.

Let me know if you need more clarification in any points I have mentioned.

* For some reason, I am not able to embed images in the post. You can view them here.
https://forum.xda-developers.com/album.php?albumid=15064
 
Last edited:

umair9001

Senior Member
Mar 21, 2010
276
87
58
Doha
www.facebook.com
that's a pretty comprehensive attempt..would love to see if we could play with the os..

The link https://android.ota.airtel.in:8008/public/protected/ota/160/airtel_g1_update has many other variations like 161, 162, etc..but all the files are being downloaded in an encrypted format with different sizes..does airtel have more to android than this internet tv?

ex:
https://android.ota.airtel.in:8008/public/protected/ota/182/airtel_g1_update
https://android.ota.airtel.in:8008/public/protected/ota/181/airtel_g1_update
 
Last edited:
  • Like
Reactions: sayanux

avisekjena

Member
Oct 25, 2014
17
7
3
that's a pretty comprehensive attempt..would love to see if we could play with the os..

The link https://android.ota.airtel.in:8008/public/protected/ota/160/airtel_g1_update has many other variations like 161, 162, etc..but all the files are being downloaded in an encrypted format with different sizes..does airtel have more to android than this internet tv?

ex:
https://android.ota.airtel.in:8008/public/protected/ota/182/airtel_g1_update
https://android.ota.airtel.in:8008/public/protected/ota/181/airtel_g1_update
Thanks Umair, for going through the very long post. :D Breaks my heart, have not reached anywhere so far with it. :(

Yes, I have downloaded few other versions. All of them encrypted. AFAIK, Airtel does not have other products with android. 160 and 180 are different versions for the same STB: Build v 06.02.61 and 06.02.67 respectively. I assume all others will be other releases for the same STB.

Have also tried to use linkchecker to crawl through the site and explore more links. No luck, seems deliberately excluded from robot.txt.

Add: Wanted to check if the files are encrypted or just a new type of compression (e.g. Brotli). Opened few of them in a hex editor, could not find any common beginning or end. Leads me to believe, these are encrypted.
 
Last edited:
  • Like
Reactions: knidsrok

rohitatiit

New member
Jul 8, 2011
2
0
0
Hope we can make some progress, would be nice to see android TV Oreo on this box.
Another strange thing is the remote on Airtel internet TV drain battery like anything.
 

avisekjena

Member
Oct 25, 2014
17
7
3
brother could u post airtel stb apk ? :)


another update

this stb Launched over 2 Years ago in France the Dual core ARM B15 BCM7252S as well

which is called the Freebox Mini 4K
Sorry brother, missed the notification. Are you asking for the update service/app that i mentioned above? Or the launcher/tv UI app? Let me know.

As far as Freebox is concerned, it does share the same chipset, but the end product looks different. And Airtel probably has done customizations for bootloader and OS.
 

avisekjena

Member
Oct 25, 2014
17
7
3
Hope we can make some progress, would be nice to see android TV Oreo on this box.
Another strange thing is the remote on Airtel internet TV drain battery like anything.
Well, as of now I have hit a dead-end, with no access to root. :(
Oreo seems a long way. :D

Yes! the remote does drain battery really fast. I remember observing in logs that STB tries to check the status of the remote, (such as battery percent, etc) at regular intervals. Don't remember the interval, but I wonder if this is normal/the best practice. This might be draining the battery fast.
We could look into its apk and probably try a patch, but then we wont be able to update it (assuming its a system app) without root.

On a different note, do you also face the following issues:
  • Remote stops working sometimes. I have to pull out and reinsert the batteries to make it work.
  • Voice search using the remote is so unreliable. It results in error most of the times.
  • Amazon Prime lags a lot, while Netflix and Youtube work smoothly. Prime app might be bandwidth hungry.
 

sayanux

Member
Sep 3, 2018
8
0
0
Sorry brother, missed the notification. Are you asking for the update service/app that i mentioned above? Or the launcher/tv UI app? Let me know.

As far as Freebox is concerned, it does share the same chipset, but the end product looks different. And Airtel probably has done customizations for bootloader and OS.
tv app apk
 

riks4039

Senior Member
Jan 13, 2011
59
1
0
navi mumbai
Can anyone help bypass the subscription check. So I can use the android without dish

I m airtel internet tv user my subscription is over now and Airtel packages are really high and without package I m not able to use anything on the box so any options to bypass the subscription check. So I can use it without dish as a normal android box. Thanks in advance.
 

sayanux

Member
Sep 3, 2018
8
0
0
I m airtel internet tv user my subscription is over now and Airtel packages are really high and without package I m not able to use anything on the box so any options to bypass the subscription check. So I can use it without dish as a normal android box. Thanks in advance.
Dump airtel dth long ago ... using MI tv box 3 (mdz 16 ab) with jio stb apk and livenet tv apk ... now am happy :cool: :victory:

ps : u cant bypass airtel internet box subscription :(
 

riks4039

Senior Member
Jan 13, 2011
59
1
0
navi mumbai
Dumping isn't solution for the money we paid them. And what if we get some idea to install custom ROM and m sure in custom rom we can boot it without any subscription just like a ordinary android box. at present it just works for few min and again it comes to the errors screen that my subscription is over. Don't want to give up so easily. I still have hope.
 

supercsrl

New member
Dec 18, 2009
2
0
21
dont know your box's charachteristics but some have a pinhole push button inside the 3,5mm jack that needs to be pushed during boot to get to twrp
 

jayg17

New member
Jan 7, 2019
2
3
0
i used adblink and removed all the airtel app with adb shell command and the box works as android box now.

No Subscription check no airtel launcher, just google launcher and apps as soon as it boots
 

Anaswalikhan

New member
Mar 25, 2013
3
0
0
Please sent a full process how you done that thanks .. please........................

:)
i used adblink and removed all the airtel app with adb shell command and the box works as android box now.

No Subscription check no airtel launcher, just google launcher and apps as soon as it boots
jakakakaksksn