supechicken

Rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

Table of contents

• Prerequisites
• Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen
• Step 2: Extract boot image from the OTA archive
• Step 3: Update the system with downloaded OTA archive
• Step 4: Patch boot image with Magisk
• Step 5: Unlock bootloader with fastboot
• Step 6: Reboot to system and complete setup

supechicken

#!/usr/bin/env ruby
# CroshSU: "Fix" sudo in crosh by redirecting all sudo calls to VT-2 shell, inspired by root solutions on Android
#
# Usage: put this script into /usr/local/bin, run `crosh-su --daemon` in VT-2 and run
#        some command with `crosh-su --client <command you want to run with root>` in crosh
#
require 'io/console'
require 'socket'
require 'pty'
require 'fileutils'

supechicken

set -e

mkdir -p kernel && cd kernel
git clone --depth=1 https://github.com/Xiaomi-SM8350-Development/kernel_xiaomi_sm8350 .

curl -LSs "https://raw.githubusercontent.com/tiann/KernelSU/main/kernel/setup.sh" | bash -
cat /mnt/c/Users/supec/Documents/*kernelsu*.diff | patch -p1
cp /mnt/c/Users/supec/Downloads/config.txt .config

sed -i 's/-ReBorn-11TPro/-SupeChicken666/' .config

supechicken

#!/usr/bin/env ruby

MetaStruct = {
  file_magic:   :txt, # File magic, should be "RIFF"
  payload_size: :int, # Size of the file (excluding the file magic)

  riff_chunkType:   :txt, # Should be "ACON"
  riff_chunkID:     :txt, # Should be "anih"
  riff_chunkSize:   :int, # Should be 36

supechicken

Keybase proof

I hereby claim:

• I am supechicken on github.
• I am supechicken666 (https://keybase.io/supechicken666) on keybase.
• I have a public key whose fingerprint is 8E44 2218 70D6 A51F 6680 E110 615E 32BA 9CA6 4A14

To claim this, I am signing this object:

supechicken

$LOAD_PATH << "#{Dir.pwd}/lib"
require 'package'

`grep -A1 '# Adapted from Arch Linux .* PKGBUILD at:' packages/*.rb`.split('--').map do |message|
  message.strip.lines(chomp: true)[1].sub(/ # .*/, '').split('-# ', 2)
end.each do |pkgFile, archLink|
  latest_ver = `curl -Ls '#{archLink.sub('blob', 'raw')}'`[/^pkgver=(.*)$/, 1]
  current_ver = Package.load_package(pkgFile).version

  puts "#{pkgFile}: current: #{current_ver}, latest: #{latest_ver}"

supechicken

require 'fileutils'

loop do
  print 'Commit: '
  commit = $stdin.gets

  system 'git', 'checkout', commit, chdir: 'platform2'

  FileUtils.rm_rf %w[a b]
  FileUtils.cp_r 'platform2/vm_tools/sommelier', 'a'

supechicken

/*
  remove_on_copy.c: Remove each file listed in tar archive once they sent to stdout

  Usage:
     stdin: Tar archive (only ustar format is supported) created by tar -c
    stdout: Tar extract command (tar -x)

  Option:
    -v      Enable verbose output

supechicken

Custom boot splash screen/animation on Chrome/Chromium OS

Before you start...

^{You can find tutorials about these online}

• Enable Chrome OS developer mode
• Disable root filesystem verification, remount root filesystem as read/write

Steps

• Pick a .gif image that you wish to be the boot splash animation
• Go to https://ezgif.com/split, upload the .gif file
• Select Output images in PNG format in Split options

supechicken

#!/bin/bash -eu
# disable_verify.sh: Script to disable rootFS verification on Chrome OS Flex/CloudReady 96+
#
# Usage:
#   curl -Ls 'https://gist.github.com/supechicken/ccf8bfad3be30dbcd144b46bc4d7083e/raw' | sudo bash -eu

[[ "${EUID}" != 0 ]] && echo -e "\e[1;31m"'Please run this script as root.'"\e[0m" && exit 1

# get disk device name which has Chrome OS installed to
cros_disk="$([[ "$(mount | grep '/mnt/stateful_partition')" =~ (sd[a-z]|nvme[0-9]n[0-9]p|mmcblk[0-9]p) ]] && \