A tutorial for rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

root_mi_box_s_2nd_gen.md

Rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

Table of contents

• Prerequisites
• Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen
• Step 2: Extract boot image from the OTA archive
• Step 3: Update the system with downloaded OTA archive
• Step 4: Patch boot image with Magisk
• Step 5: Unlock bootloader with fastboot
• Step 6: Reboot to system and complete setup
• Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)
• Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Important

Before you go, please acknowledge that rooting might void the warranty of your Mi Box, and I am not responsible to any unexpected result such as hard-bricking or bootlooping.

Prerequisites

• (Recommanded) Basic knowledge to command line utilities like cd and ls
• adb and fastboot available on your computer (download it here)
• Android OTA payload extractor (download the executable archive in the Release section and extract it using tar or File Explorer depending on your OS)
• An USB-A male to male cable for connecting the Mi Box and your computer (can be easily be made with two charging cables by soldering/twisting the wires inside with same color together)
• A USB keyboard
• Developer option activited and OEM unlocking is switched on
• USB debugging enabled
• Magisk Manager and a file picker UI (e.g FX File Explorer) installed
• Backup all data in the Mi Box as factory reset will be proceed later

Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen

We need to get the boot image of the device for rooting, this can be done by extracting the boot image from OTA update archive.

Download the latest OTA zip for Xiaomi TV Box S 2nd Gen from 4pda.to (Google Translate might necessary), locate the Firmware section and download the latest OTA there.

Step 2: Extract boot image from the OTA archive

• Extract payload.bin from the archive using File Explorer or unzip command
• Extract all partition images from payload.bin:

/path/to/android-ota-extractor payload.bin

• (Optional) delete all images except boot.img and vbmeta.img as we don't need them.

Step 3: Update the system with downloaded OTA archive

In order to make sure the boot image extracted above matches the system, updating the Mi Box with the downloaded OTA archive first is recommanded.

• Reboot to recovery with adb:

/path/to/adb reboot recovery

• Use a USB keyboard to select Apply update from ADB with arrow keys
• Reconnect with the USB-A male to male cable
• Apply the OTA with adb:

/path/to/adb sideload <REPLACE ME WITH THE PATH TO THE OTA ZIP>

• Reboot to Google TV after update completed

Note

If you are receiving an error like this:

Update package is older than the current build, expected a build newer than timestamp 1723513642 but the package has timestamp 1697102071 and downgrade is not allowed.

Try extracting all images from payload.bin using android-ota-extractor and flashing them manually via fastboot as described here (see Flash all the necessary images part)

Step 4: Patch boot image with Magisk

• Send the extracted boot image to the Mi Box with adb:

/path/to/adb push boot.img /sdcard/boot.img

• The boot image should be available in Internal Storage/boot.img now
• Open Magisk, click Install and select the boot image

Note

If the file picker does not show up, install a file manager with file picker UI first (e.g FX File Explorer)

• The patched boot image should be available in /sdcard/Download (the path will be shown in the Magisk app if patched successfully)

• Use adb to upload the patched image back to computer:

/path/to/adb pull <PATH SHOWN IN MAGISK> patch-boot.img

• Now a new file called patch-boot.img should be appeared in the current directory

Step 5: Unlock bootloader with fastboot

• Reboot to fastboot mode:

/path/to/adb reboot bootloader

• Unlock the bootloader with the following command:

/path/to/fastboot flashing unlock
/path/to/fastboot flashing unlock_critical

Caution

Using fastboot incorrectly might result in unrecoverable damage to your box (i.e. bricked). Proceed with caution!

Important

Unlocking the bootloader will trigger factory reset after reboot, so please remember to backup your data first!

Note

Run the following to check if the bootloader is unlocked successfully (look for unlocked in output):

/path/to/fastboot getvar all

Step 6: Reboot to system and complete setup

Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)

Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Tip

AVB (Android Verified Boot) is a security feature introduced in Android 8, which prevents the system booting with modified boot image.

Disabling AVB might necessary in order to boot the patched boot image above.

• Reboot to fastboot mode:

/path/to/adb reboot bootloader

• Flash the vbmeta image with verification option disabled:

/path/to/fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img

• Flash the patched boot image:

/path/to/fastboot flash boot patched-boot.img

• Reboot to system:

/path/to/fastboot reboot

All done

• Feel free to provide suggestions on this tutorial to make it more noob friendly :)

Read more

• Check this XDA post about debricking Xiaomi TV Box S 2nd Gen if you accidentally bricked your box :P

selam
Bu işlemleri resimli anlatmanız mümkün mü? dosyaları indirdim ama yükleme işlerini yapamadım.
teşekkür ederim.

Create an explanatory video to make it easier to access

Create an explanatory video to make it easier to access

No, at least at this moment.

The instructions above should be clear enough. If you don't want to figure it out then nobody can help you.

Excuse me. Why is my device not found on fastboot

Great tutorial, worked like charm!

i have twrp tree of this device who can made and try it ?

can you start xda thread to get more attention to this @supechicken and @Archer3770

I'm developing LineageOS for this device and I need someone to dump the dtb from stock since I ended up flashing a broken one and the ota package does not include one, I'd really appreciate it

Is this mandatory in order to install CoreElec, or can I skip the process?

Is this mandatory in order to install CoreElec, or can I skip the process?

You just need to unlock the bootloader for that, no root needed. But keep in mind that CoreElec doesn't boot yet on this device, it does attempt to boot but fails to mount the rootfs

Aha... So that's why it doesn't work :(. Figured any S905X4 would work.
Just to make sure - how would I unlock the bootloader? Is it just a matter of enabling some settings on the deveoper options screen?

Aha... So that's why it doesn't work :(. Figured any S905X4 would work. Just to make sure - how would I unlock the bootloader? Is it just a matter of enabling some settings on the deveoper options screen?

To unlock just enable developer settings and then toggle OEM unlocking and follow part 5 of the guide above, I'm working on Lineage but it still needs a few things done (microphone doesn't work yet)

I was able to tell the device adb reboot bootloader (remotely from an ADB on a remote device), but after reboot I fail to understand how I can connect to the device again. Wifi is offline, tried usb-to-ethernet but that too is not working in bootloader mode. Should that be done via USB? I connected the device to another computer via USB but it would not appear in adb devices while in the bootloader screen as well.

I was able to tell the device adb reboot bootloader (remotely from an ADB on a remote device), but after reboot I fail to understand how I can connect to the device again. Wifi is offline, tried usb-to-ethernet but that too is not working in bootloader mode. Should that be done via USB? I connected the device to another computer via USB but it would not appear in adb devices while in the bootloader screen as well.

You need a USB A to USB A cable to use fastboot

I used USB-A to USB-C (to MacBook Pro), would that not work?

I used USB-A to USB-C (to MacBook Pro), would that not work?

It would not since that works as if the MacBook was connected to the mi box, not the other way around

Thanks. By adding a USB-A to USB-C adapter (making it A-to-A), it worked.
As you noted - still the device will not boot the CoreElec boot drive. Let's see how it goes :).

In case anyone wants it, here's a module that replaces the Google TV Launcher with the Android TV one (Ad Free) https://github.com/davigamer987/atv-adfree-module/releases/download/V1/atvlauncher.zip

Putting this here because I had issues where I had
< waiting for any device >
After running fastboot flashing unlock

Installing this driver in device manager fixed the issue.

The system automatically updated itself on the first boot. When I attempted to install the OTA via sideload, I encountered the following error:
"Update package is older than the current build, expected a build newer than timestamp 1723513642 but the package has timestamp 1697102071 and downgrade is not allowed."

Any idea how to fix this?

The system automatically updated itself on the first boot. When I attempted to install the OTA via sideload, I encountered the following error: "Update package is older than the current build, expected a build newer than timestamp 1723513642 but the package has timestamp 1697102071 and downgrade is not allowed."

Any idea how to fix this?

That means you have downloaded an outdated OTA firmware that is older than your current version. Make sure you are downloading the latest firmware from 4pda.

Link to OTA RTT0.211222.001.773 is missing. Can someone share it, or tell me where to find it? Mine came with a firmware version of RTT0.211222.001.767 which is not present in the 4PDA so I have to update before rooting.

Link to OTA RTT0.211222.001.773 is missing. Can someone share it, or tell me where to find it? Mine came with a firmware version of RTT0.211222.001.767 which is not present in the 4PDA so I have to update before rooting.

I’m facing the same issue. I cannot find a newer firmware version (on 4PDA, or anywhere else), and the system automatically updates to the latest version without giving any option to stop the process, at least not before enabling the Developer Options.

I've put together a new tutorial that should work for most users:

https://github.com/x011/Root-Xiaomi-TV-Box-S-2nd-Gen-MDZ-28-AA

I've put together a new tutorial that should work for most users:

https://github.com/x011/Root-Xiaomi-TV-Box-S-2nd-Gen-MDZ-28-AA

Yeah, flashing all images in payload.bin under fastboot (instead of installing it within recovery) will bypass the version check.

I have updated the guide for it, thanks for the fix!

I have done step 5, however after rebooting the bootloader, the screen is stuck at Mi, did I do something wrong in step 4? Although in step 4 I was able to install OTA as usual, but after the installation was complete, the usb automatically disconnected, I could not use the usb keyboard after that so I had to unplug the power to restart. I have tried a few ways but still cannot enter fastboot. This is my OTA code: RTT0.211222.001/737:user/release-keys

This seems like a bootloop issue. In step 4 you need to patch the boot.img with Magisk. Did you do that on the device after installing Magisk or did you try to patch boot.img from another device like your phone? I think that if you soft brick the device you need to open it and bridge some connectors to force it into fastboot.

This seems like a bootloop issue. In step 4 you need to patch the boot.img with Magisk. Did you do that on the device after installing Magisk or did you try to patch boot.img from another device like your phone? I think that if you soft brick the device you need to open it and bridge some connectors to force it into fastboot.

I think it was blocked by the provider and had to bridge as you said. However, I'm quite hesitant to do so because I don't have the technical skills :D thank you for sharing