A tutorial for rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

root_mi_box_s_2nd_gen.md

Rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

Table of contents

• Prerequisites
• Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen
• Step 2: Extract boot image from the OTA archive
• Step 3: Update the system with downloaded OTA archive
• Step 4: Patch boot image with Magisk
• Step 5: Unlock bootloader with fastboot
• Step 6: Reboot to system and complete setup
• Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)
• Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Important

Before you go, please acknowledge that rooting might void the warranty of your Mi Box, and I am not responsible to any unexpected result such as hard-bricking or bootlooping.

Prerequisites

• (Recommanded) Basic knowledge to command line utilities like cd and ls
• adb and fastboot available on your computer (download it here)
• Android OTA payload extractor (download the executable archive in the Release section and extract it using tar or File Explorer depending on your OS)
• An USB-A male to male cable for connecting the Mi Box and your computer (can be easily be made with two charging cables by soldering/twisting the wires inside with same color together)
• A USB keyboard
• Developer option activited and OEM unlocking is switched on
• USB debugging enabled
• Magisk Manager and a file picker UI (e.g FX File Explorer) installed
• Backup all data in the Mi Box as factory reset will be proceed later

Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen

We need to get the boot image of the device for rooting, this can be done by extracting the boot image from OTA update archive.

Download the latest OTA zip for Xiaomi TV Box S 2nd Gen from 4pda.to (Google Translate might necessary), locate the Firmware section and download the latest OTA there.

Step 2: Extract boot image from the OTA archive

• Extract payload.bin from the archive using File Explorer or unzip command
• Extract all partition images from payload.bin:

/path/to/android-ota-extractor payload.bin

• (Optional) delete all images except boot.img and vbmeta.img as we don't need them.

Step 3: Update the system with downloaded OTA archive

In order to make sure the boot image extracted above matches the system, updating the Mi Box with the downloaded OTA archive first is recommanded.

• Reboot to recovery with adb:

/path/to/adb reboot recovery

• Use a USB keyboard to select Apply update from ADB with arrow keys
• Reconnect with the USB-A male to male cable
• Apply the OTA with adb:

/path/to/adb sideload <REPLACE ME WITH THE PATH TO THE OTA ZIP>

• Reboot to Google TV after update completed

Step 4: Patch boot image with Magisk

• Send the extracted boot image to the Mi Box with adb:

/path/to/adb push boot.img /sdcard/boot.img

• The boot image should be available in Internal Storage/boot.img now
• Open Magisk, click Install and select the boot image

Note

If the file picker does not show up, install a file manager with file picker UI first (e.g FX File Explorer)

• The patched boot image should be available in /sdcard/Download (the path will be shown in the Magisk app if patched successfully)

• Use adb to upload the patched image back to computer:

/path/to/adb pull <PATH SHOWN IN MAGISK> patch-boot.img

• Now a new file called patch-boot.img should be appeared in the current directory

Step 5: Unlock bootloader with fastboot

• Reboot to fastboot mode:

/path/to/adb reboot bootloader

• Unlock the bootloader with the following command:

/path/to/fastboot flashing unlock
/path/to/fastboot flashing unlock_critical

Caution

Using fastboot incorrectly might result in unrecoverable damage to your box (i.e. bricked). Proceed with caution!

Important

Unlocking the bootloader will trigger factory reset after reboot, so please remember to backup your data first!

Note

Run the following to check if the bootloader is unlocked successfully (look for unlocked in output):

/path/to/fastboot getvar all

Step 6: Reboot to system and complete setup

Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)

Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Tip

AVB (Android Verified Boot) is a security feature introduced in Android 8, which prevents the system booting with modified boot image.

Disabling AVB might necessary in order to boot the patched boot image above.

• Reboot to fastboot mode:

/path/to/adb reboot bootloader

• Flash the vbmeta image with verification option disabled:

/path/to/fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img

• Flash the patched boot image:

/path/to/fastboot flash boot patched-boot.img

• Reboot to system:

/path/to/fastboot reboot

All done

• Feel free to provide suggestions on this tutorial to make it more noob friendly :)

Create an explanatory video to make it easier to access

No, at least at this moment.

The instructions above should be clear enough. If you don't want to figure it out then nobody can help you.

Excuse me. Why is my device not found on fastboot

Great tutorial, worked like charm!

i have twrp tree of this device who can made and try it ?

can you start xda thread to get more attention to this @supechicken and @Archer3770

I'm developing LineageOS for this device and I need someone to dump the dtb from stock since I ended up flashing a broken one and the ota package does not include one, I'd really appreciate it

Is this mandatory in order to install CoreElec, or can I skip the process?

Is this mandatory in order to install CoreElec, or can I skip the process?

You just need to unlock the bootloader for that, no root needed. But keep in mind that CoreElec doesn't boot yet on this device, it does attempt to boot but fails to mount the rootfs

Aha... So that's why it doesn't work :(. Figured any S905X4 would work.
Just to make sure - how would I unlock the bootloader? Is it just a matter of enabling some settings on the deveoper options screen?

Aha... So that's why it doesn't work :(. Figured any S905X4 would work. Just to make sure - how would I unlock the bootloader? Is it just a matter of enabling some settings on the deveoper options screen?

To unlock just enable developer settings and then toggle OEM unlocking and follow part 5 of the guide above, I'm working on Lineage but it still needs a few things done (microphone doesn't work yet)

I was able to tell the device adb reboot bootloader (remotely from an ADB on a remote device), but after reboot I fail to understand how I can connect to the device again. Wifi is offline, tried usb-to-ethernet but that too is not working in bootloader mode. Should that be done via USB? I connected the device to another computer via USB but it would not appear in adb devices while in the bootloader screen as well.

I was able to tell the device adb reboot bootloader (remotely from an ADB on a remote device), but after reboot I fail to understand how I can connect to the device again. Wifi is offline, tried usb-to-ethernet but that too is not working in bootloader mode. Should that be done via USB? I connected the device to another computer via USB but it would not appear in adb devices while in the bootloader screen as well.

You need a USB A to USB A cable to use fastboot

I used USB-A to USB-C (to MacBook Pro), would that not work?

I used USB-A to USB-C (to MacBook Pro), would that not work?

It would not since that works as if the MacBook was connected to the mi box, not the other way around

Thanks. By adding a USB-A to USB-C adapter (making it A-to-A), it worked.
As you noted - still the device will not boot the CoreElec boot drive. Let's see how it goes :).

In case anyone wants it, here's a module that replaces the Google TV Launcher with the Android TV one (Ad Free) https://github.com/davigamer987/atv-adfree-module/releases/download/V1/atvlauncher.zip