A tutorial for rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

root_mi_box_s_2nd_gen.md

Rooting Xiaomi TV Box S 2nd Gen (jaws) without UART/teardown

Table of contents

• Prerequisites
• Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen
• Step 2: Extract boot image from the OTA archive
• Step 3: Update the system with downloaded OTA archive
• Step 4: Patch boot image with Magisk
• Step 5: Unlock bootloader with fastboot
• Step 6: Reboot to system and complete setup
• Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)
• Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Important

Before you go, please acknowledge that rooting might void the warranty of your Mi Box, and I am not responsible to any unexpected result such as hard-bricking or bootlooping.

Prerequisites

• (Recommanded) Basic knowledge to command line utilities like cd and ls
• adb and fastboot available on your computer (download it here)
• Android OTA payload extractor (download the executable archive in the Release section and extract it using tar or File Explorer depending on your OS)
• An USB-A male to male cable for connecting the Mi Box and your computer (can be easily be made with two charging cables by soldering/twisting the wires inside with same color together)
• A USB keyboard
• Developer option activited and OEM unlocking is switched on
• USB debugging enabled
• Magisk Manager and a file picker UI (e.g FX File Explorer) installed
• Backup all data in the Mi Box as factory reset will be proceed later

Step 1: Download the stock ROM for Xiaomi TV Box S 2nd Gen

We need to get the boot image of the device for rooting, this can be done by extracting the boot image from OTA update archive.

Download the latest OTA zip for Xiaomi TV Box S 2nd Gen from 4pda.to (Google Translate might necessary), locate the Firmware section and download the latest OTA there.

Step 2: Extract boot image from the OTA archive

• Extract payload.bin from the archive using File Explorer or unzip command
• Extract all partition images from payload.bin:

/path/to/android-ota-extractor payload.bin

• (Optional) delete all images except boot.img and vbmeta.img as we don't need them.

Step 3: Update the system with downloaded OTA archive

In order to make sure the boot image extracted above matches the system, updating the Mi Box with the downloaded OTA archive first is recommanded.

• Reboot to recovery with adb:

/path/to/adb reboot recovery

• Use a USB keyboard to select Apply update from ADB with arrow keys
• Reconnect with the USB-A male to male cable
• Apply the OTA with adb:

/path/to/adb sideload <REPLACE ME WITH THE PATH TO THE OTA ZIP>

• Reboot to Google TV after update completed

Note

If you are receiving an error like this:

Update package is older than the current build, expected a build newer than timestamp 1723513642 but the package has timestamp 1697102071 and downgrade is not allowed.

Try extracting all images from payload.bin using android-ota-extractor and flashing them manually via fastboot as described here (see Flash all the necessary images part)

Step 4: Patch boot image with Magisk

• Send the extracted boot image to the Mi Box with adb:

/path/to/adb push boot.img /sdcard/boot.img

• The boot image should be available in Internal Storage/boot.img now
• Open Magisk, click Install and select the boot image

Note

If the file picker does not show up, install a file manager with file picker UI first (e.g FX File Explorer)

• The patched boot image should be available in /sdcard/Download (the path will be shown in the Magisk app if patched successfully)

• Use adb to upload the patched image back to computer:

/path/to/adb pull <PATH SHOWN IN MAGISK> patch-boot.img

• Now a new file called patch-boot.img should be appeared in the current directory

Step 5: Unlock bootloader with fastboot

• Reboot to fastboot mode:

/path/to/adb reboot bootloader

• Unlock the bootloader with the following command:

/path/to/fastboot flashing unlock
/path/to/fastboot flashing unlock_critical

Caution

Using fastboot incorrectly might result in unrecoverable damage to your box (i.e. bricked). Proceed with caution!

Important

Unlocking the bootloader will trigger factory reset after reboot, so please remember to backup your data first!

Note

Run the following to check if the bootloader is unlocked successfully (look for unlocked in output):

/path/to/fastboot getvar all

Step 6: Reboot to system and complete setup

Step 7: Redo preparation listed in prerequisites above again (e.g. enabling OEM unlock, USB debugging...)

Step 8: Disable AVB (Android Verified Boot) and install the patched boot image

Tip

AVB (Android Verified Boot) is a security feature introduced in Android 8, which prevents the system booting with modified boot image.

Disabling AVB might necessary in order to boot the patched boot image above.

• Reboot to fastboot mode:

/path/to/adb reboot bootloader

• Flash the vbmeta image with verification option disabled:

/path/to/fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img

• Flash the patched boot image:

/path/to/fastboot flash boot patched-boot.img

• Reboot to system:

/path/to/fastboot reboot

All done

• Feel free to provide suggestions on this tutorial to make it more noob friendly :)

Read more

• Check this XDA post about debricking Xiaomi TV Box S 2nd Gen if you accidentally bricked your box :P

In case anyone wants it, here's a module that replaces the Google TV Launcher with the Android TV one (Ad Free) https://github.com/davigamer987/atv-adfree-module/releases/download/V1/atvlauncher.zip

Putting this here because I had issues where I had
< waiting for any device >
After running fastboot flashing unlock

Installing this driver in device manager fixed the issue.

The system automatically updated itself on the first boot. When I attempted to install the OTA via sideload, I encountered the following error:
"Update package is older than the current build, expected a build newer than timestamp 1723513642 but the package has timestamp 1697102071 and downgrade is not allowed."

Any idea how to fix this?

The system automatically updated itself on the first boot. When I attempted to install the OTA via sideload, I encountered the following error: "Update package is older than the current build, expected a build newer than timestamp 1723513642 but the package has timestamp 1697102071 and downgrade is not allowed."

Any idea how to fix this?

That means you have downloaded an outdated OTA firmware that is older than your current version. Make sure you are downloading the latest firmware from 4pda.

Link to OTA RTT0.211222.001.773 is missing. Can someone share it, or tell me where to find it? Mine came with a firmware version of RTT0.211222.001.767 which is not present in the 4PDA so I have to update before rooting.

Link to OTA RTT0.211222.001.773 is missing. Can someone share it, or tell me where to find it? Mine came with a firmware version of RTT0.211222.001.767 which is not present in the 4PDA so I have to update before rooting.

I’m facing the same issue. I cannot find a newer firmware version (on 4PDA, or anywhere else), and the system automatically updates to the latest version without giving any option to stop the process, at least not before enabling the Developer Options.

I've put together a new tutorial that should work for most users:

https://github.com/x011/Root-Xiaomi-TV-Box-S-2nd-Gen-MDZ-28-AA

I've put together a new tutorial that should work for most users:

https://github.com/x011/Root-Xiaomi-TV-Box-S-2nd-Gen-MDZ-28-AA

Yeah, flashing all images in payload.bin under fastboot (instead of installing it within recovery) will bypass the version check.

I have updated the guide for it, thanks for the fix!

I have done step 5, however after rebooting the bootloader, the screen is stuck at Mi, did I do something wrong in step 4? Although in step 4 I was able to install OTA as usual, but after the installation was complete, the usb automatically disconnected, I could not use the usb keyboard after that so I had to unplug the power to restart. I have tried a few ways but still cannot enter fastboot. This is my OTA code: RTT0.211222.001/737:user/release-keys

This seems like a bootloop issue. In step 4 you need to patch the boot.img with Magisk. Did you do that on the device after installing Magisk or did you try to patch boot.img from another device like your phone? I think that if you soft brick the device you need to open it and bridge some connectors to force it into fastboot.

This seems like a bootloop issue. In step 4 you need to patch the boot.img with Magisk. Did you do that on the device after installing Magisk or did you try to patch boot.img from another device like your phone? I think that if you soft brick the device you need to open it and bridge some connectors to force it into fastboot.

I think it was blocked by the provider and had to bridge as you said. However, I'm quite hesitant to do so because I don't have the technical skills :D thank you for sharing

Guys, do root and bootloader unlock break Netflix and others 4k DRM player?

Guys, do root and bootloader unlock break Netflix and others 4k DRM player?

They don't, Widevine L1 will still work

Guys, do root and bootloader unlock break Netflix and others 4k DRM player?

They don't, Widevine L1 will still work

Thank you, you are right, L1 is still there and if you want to force L3 and disable L1, then https://github.com/hzy132/liboemcryptodisabler works great

Also for macos you just need brew install --cask android-platform-tools and go with the same guide

C:\mitv>fastboot reboot bootloader
Rebooting into bootloader OKAY [ 0.000s]
Finished. Total time: 0.000s

C:\mitv>fastboot reboot bootloader
Rebooting into bootloader OKAY [ 0.000s]
Finished. Total time: 0.000s

C:\mitv>fastboot flashing unlock
OKAY [ 0.004s]
Finished. Total time: 0.004s

C:\mitv>fastboot getvar unlocked
unlocked: yes
Finished. Total time: 0.004s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_a vbmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta_a' (2048 KB) OKAY [ 0.082s]
Writing 'vbmeta_a' OKAY [ 0.020s]
Finished. Total time: 0.149s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_b vbmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta_b' (2048 KB) OKAY [ 0.093s]
Writing 'vbmeta_b' OKAY [ 0.035s]
Finished. Total time: 0.149s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_system_a vbmeta_system.img
Sending 'vbmeta_system_a' (2048 KB) OKAY [ 0.095s]
Writing 'vbmeta_system_a' OKAY [ 0.037s]
Finished. Total time: 0.151s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_system_b vbmeta_system.img
Sending 'vbmeta_system_b' (2048 KB) OKAY [ 0.083s]
Writing 'vbmeta_system_b' OKAY [ 0.024s]
Finished. Total time: 0.136s

C:\mitv>fastboot flash dtbo_a dtbo.img
Sending 'dtbo_a' (2048 KB) OKAY [ 0.081s]
Writing 'dtbo_a' OKAY [ 0.032s]
Finished. Total time: 0.146s

C:\mitv>fastboot flash dtbo_b dtbo.img
Sending 'dtbo_b' (2048 KB) OKAY [ 0.096s]
Writing 'dtbo_b' OKAY [ 0.039s]
Finished. Total time: 0.152s

C:\mitv>fastboot flash vendor_boot_a vendor_boot.img
Sending 'vendor_boot_a' (24576 KB) OKAY [ 1.153s]
Writing 'vendor_boot_a' OKAY [ 0.620s]
Finished. Total time: 1.783s

C:\mitv>fastboot flash vendor_boot_b vendor_boot.img
Sending 'vendor_boot_b' (24576 KB) OKAY [ 1.135s]
Writing 'vendor_boot_b' OKAY [ 0.618s]
Finished. Total time: 1.765s

C:\mitv>fastboot flash boot_a boot.img
Sending 'boot_a' (65536 KB) OKAY [ 3.029s]
Writing 'boot_a' OKAY [ 0.838s]
Finished. Total time: 4.099s

C:\mitv>fastboot flash boot_b boot.img
Sending 'boot_b' (65536 KB) OKAY [ 3.007s]
Writing 'boot_b' OKAY [ 0.843s]
Finished. Total time: 4.073s

C:\mitv>fastboot reboot fastboot
Rebooting into fastboot OKAY [ 0.000s]
< waiting for any device >

C:\mitv>fastboot reboot bootloader Rebooting into bootloader OKAY [ 0.000s] Finished. Total time: 0.000s

C:\mitv>fastboot reboot bootloader Rebooting into bootloader OKAY [ 0.000s] Finished. Total time: 0.000s

C:\mitv>fastboot flashing unlock OKAY [ 0.004s] Finished. Total time: 0.004s

C:\mitv>fastboot getvar unlocked unlocked: yes Finished. Total time: 0.004s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_a vbmeta.img Rewriting vbmeta struct at offset: 0 Sending 'vbmeta_a' (2048 KB) OKAY [ 0.082s] Writing 'vbmeta_a' OKAY [ 0.020s] Finished. Total time: 0.149s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_b vbmeta.img Rewriting vbmeta struct at offset: 0 Sending 'vbmeta_b' (2048 KB) OKAY [ 0.093s] Writing 'vbmeta_b' OKAY [ 0.035s] Finished. Total time: 0.149s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_system_a vbmeta_system.img Sending 'vbmeta_system_a' (2048 KB) OKAY [ 0.095s] Writing 'vbmeta_system_a' OKAY [ 0.037s] Finished. Total time: 0.151s

C:\mitv>fastboot --disable-verity --disable-verification flash vbmeta_system_b vbmeta_system.img Sending 'vbmeta_system_b' (2048 KB) OKAY [ 0.083s] Writing 'vbmeta_system_b' OKAY [ 0.024s] Finished. Total time: 0.136s

C:\mitv>fastboot flash dtbo_a dtbo.img Sending 'dtbo_a' (2048 KB) OKAY [ 0.081s] Writing 'dtbo_a' OKAY [ 0.032s] Finished. Total time: 0.146s

C:\mitv>fastboot flash dtbo_b dtbo.img Sending 'dtbo_b' (2048 KB) OKAY [ 0.096s] Writing 'dtbo_b' OKAY [ 0.039s] Finished. Total time: 0.152s

C:\mitv>fastboot flash vendor_boot_a vendor_boot.img Sending 'vendor_boot_a' (24576 KB) OKAY [ 1.153s] Writing 'vendor_boot_a' OKAY [ 0.620s] Finished. Total time: 1.783s

C:\mitv>fastboot flash vendor_boot_b vendor_boot.img Sending 'vendor_boot_b' (24576 KB) OKAY [ 1.135s] Writing 'vendor_boot_b' OKAY [ 0.618s] Finished. Total time: 1.765s

C:\mitv>fastboot flash boot_a boot.img Sending 'boot_a' (65536 KB) OKAY [ 3.029s] Writing 'boot_a' OKAY [ 0.838s] Finished. Total time: 4.099s

C:\mitv>fastboot flash boot_b boot.img Sending 'boot_b' (65536 KB) OKAY [ 3.007s] Writing 'boot_b' OKAY [ 0.843s] Finished. Total time: 4.073s

C:\mitv>fastboot reboot fastboot Rebooting into fastboot OKAY [ 0.000s] < waiting for any device >

I can't get past this step. What could be the problem? Please help.

@odedia Probably driver issue, check device manager and see if there are any unknown USB devices.

I tried many drivers. I couldn't do anything. Is there a driver you can recommend?