Skip to content

Instantly share code, notes, and snippets.

@supechicken
Last active September 29, 2024 11:17
Show Gist options
  • Save supechicken/3c8378be3469bc2f82b7b319f202ed82 to your computer and use it in GitHub Desktop.
Save supechicken/3c8378be3469bc2f82b7b319f202ed82 to your computer and use it in GitHub Desktop.
A tutorial for rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

Rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

Table of contents

  • Prerequisites
  • Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen
  • Step 2: Extract boot image from the OTA archive
  • Step 3: Update the system with downloaded OTA archive
  • Step 4: Patch boot image with Magisk
  • Step 5: Unlock bootloader with fastboot
  • Step 6: Reboot to system and complete setup
  • Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)
  • Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Important

Before you go, please acknowledge that rooting might void the warranty of your Mi Box, and I am not responsible to any unexpected result such as hard-bricking or bootlooping.

Prerequisites

  • (Recommanded) Basic knowledge to command line utilities like cd and ls
  • adb and fastboot available on your computer (download it here)
  • Android OTA payload extractor (download the executable archive in the Release section and extract it using tar or File Explorer depending on your OS)
  • An USB-A male to male cable for connecting the Mi Box and your computer (can be easily be made with two charging cables by soldering/twisting the wires inside with same color together)
  • A USB keyboard
  • Developer option activited and OEM unlocking is switched on
  • USB debugging enabled
  • Magisk Manager and a file picker UI (e.g FX File Explorer) installed
  • Backup all data in the Mi Box as factory reset will be proceed later

Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen

We need to get the boot image of the device for rooting, this can be done by extracting the boot image from OTA update archive.

Download the latest OTA zip for Xiaomi TV Box S 2nd Gen from 4pda.to (Google Translate might necessary), locate the Firmware section and download the latest OTA there.

Step 2: Extract boot image from the OTA archive

  • Extract payload.bin from the archive using File Explorer or unzip command
  • Extract all partition images from payload.bin:
/path/to/android-ota-extractor payload.bin
  • (Optional) delete all images except boot.img and vbmeta.img as we don't need them.

Step 3: Update the system with downloaded OTA archive

In order to make sure the boot image extracted above matches the system, updating the Mi Box with the downloaded OTA archive first is recommanded.

  • Reboot to recovery with adb:
/path/to/adb reboot recovery
  • Use a USB keyboard to select Apply update from ADB with arrow keys
  • Reconnect with the USB-A male to male cable
  • Apply the OTA with adb:
/path/to/adb sideload <REPLACE ME WITH THE PATH TO THE OTA ZIP>
  • Reboot to Google TV after update completed

Step 4: Patch boot image with Magisk

  • Send the extracted boot image to the Mi Box with adb:
/path/to/adb push boot.img /sdcard/boot.img
  • The boot image should be available in Internal Storage/boot.img now
  • Open Magisk, click Install and select the boot image

Note

If the file picker does not show up, install a file manager with file picker UI first (e.g FX File Explorer)

  • The patched boot image should be available in /sdcard/Download (the path will be shown in the Magisk app if patched successfully)

  • Use adb to upload the patched image back to computer:

/path/to/adb pull <PATH SHOWN IN MAGISK> patch-boot.img
  • Now a new file called patch-boot.img should be appeared in the current directory

Step 5: Unlock bootloader with fastboot

  • Reboot to fastboot mode:
/path/to/adb reboot bootloader
  • Unlock the bootloader with the following command:
/path/to/fastboot flashing unlock
/path/to/fastboot flashing unlock_critical

Caution

Using fastboot incorrectly might result in unrecoverable damage to your box (i.e. bricked). Proceed with caution!

Important

Unlocking the bootloader will trigger factory reset after reboot, so please remember to backup your data first!

Note

Run the following to check if the bootloader is unlocked successfully (look for unlocked in output):

/path/to/fastboot getvar all

Step 6: Reboot to system and complete setup

Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)

Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Tip

AVB (Android Verified Boot) is a security feature introduced in Android 8, which prevents the system booting with modified boot image.

Disabling AVB might necessary in order to boot the patched boot image above.

  • Reboot to fastboot mode:
/path/to/adb reboot bootloader
  • Flash the vbmeta image with verification option disabled:
/path/to/fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
  • Flash the patched boot image:
/path/to/fastboot flash boot patched-boot.img
  • Reboot to system:
/path/to/fastboot reboot

All done

  • Feel free to provide suggestions on this tutorial to make it more noob friendly :)
@harrem35
Copy link

selam
Bu işlemleri resimli anlatmanız mümkün mü? dosyaları indirdim ama yükleme işlerini yapamadım.
teşekkür ederim.

@Joaomods2
Copy link

Create an explanatory video to make it easier to access

@supechicken
Copy link
Author

Create an explanatory video to make it easier to access

No, at least at this moment.

The instructions above should be clear enough. If you don't want to figure it out then nobody can help you.

@zhiyu-zeng
Copy link

Excuse me. Why is my device not found on fastboot

@k4rl0s27
Copy link

Great tutorial, worked like charm!

@Archer3770
Copy link

i have twrp tree of this device who can made and try it ?

@PicPew00
Copy link

can you start xda thread to get more attention to this @supechicken and @Archer3770

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment