Bootloop with patched boot.img - Nvidia SHIELD TV 8.0

[thekiefs]

Similar to https://github.com/topjohnwu/Magisk/issues/1750, I'm still having issues flashing Magisk on the Nvidia Shield TV on Shield Experience 8.0.0 (Android Pie) using this guide: https://forum.xda-developers.com/shield-tv/general/guide-root-nvidia-shield-experience-t3882254

Others at XDA are reporting the same problem. I'll happily provide logs if needed.

[osm0sis]

Happily provide logs then. 😉

Also stock boot.img and magisk_patched.img

[thekiefs]

No problem. Is there a good guide on how to do this?

[osm0sis]

https://www.didgeridoohan.com/magisk/MagiskHide#hn_Asking_for_helpreporting_bugs

And the ROM should have the boot.img in its zip.

[thekiefs]

I used the "NVIDIA SHIELD TV 2017 Recovery OS Image" found here for the stock boot https://developer.nvidia.com/gameworksdownload

Because it's labeled recovery, I wasn't sure if I should check the "recovery mode" box in the advanced settings in Magisk, so I tried it both ways. Neither worked. Attached are the files and logs I could capture. I also found a working root_test_works.img on xda-developers, maybe that will help you debug? In any case I have working root thanks to that file but I hope you're able to fix Magisk too.

magisk_install_with_recovery_option.log

logcat_with_recovery_option.txt logcat_without_recovery_option.txt

See the rest of the files here (expires in a week) https://filebin.net/ufflisfbe3ajaacl

[osm0sis]

What was the last Magisk version it worked with? Can you upload a magisk_patched.img from that version?

[thekiefs]

I don't remember as it was >1 year ago. I think it was Nvidia Shield 7.2.3 and Magisk 19.

[osm0sis]

Could you try 8.0 with Magisk 19.3 then and report back?

[thekiefs]

I don't have access to the windows laptop I used to flash anymore, and ADB for Mac has a USB-C related bug unfortunately where I can't flash things correctly 👎

[osm0sis]

Not a ton we can do for you if you can't help test anymore.. 😕

[thekiefs]

Sorry, it might be a few weeks until I get the Windows laptop back. I know @s3phir0th115 @elliwigy @MrNobody206 are having this problem, maybe they can help?

[s3phir0th115]

Sure, I'll do what I can to help. So as I recall, when I tried 19.3 I couldn't get it to install because it kept trying to get me to install the new Magisk. Is there a way around that? I guess I could try cutting the network as well and see if that does it.

[mpk99]

Not entirely sure, and i may be off base, but i think the latest version needs to be a systemless root -- i don't think you can just patch the boot.img any longer...

[osm0sis]

Sorry, what? boot.img = systemless root.

[mpk99]

Yeah i dunno to be honest. I just know this version of magisk works when you sideload with TWRP:

http://www.mediafire.com/file/39fr7suloob1izn/magisk.zip/file

TRWP

http://www.mediafire.com/file/aje4myoyg58uqwc/twrp-3.3.1-0-shieldtv-pie.zip/file

I had to do a wipe after, but i've got root & magisk working in 8.0.1

[osm0sis]

That looks like a heavily modified Magisk zip containing a bunch of firmware files and a kernel. Was there an official build of Magisk that worked over stock firmware?

[mpk99]

I believe it worked on anything previous to 8.0. Once they upgraded the stock image to 8.0 magisk stopped working iirc.

[osm0sis]

That's likely because they removed the ramdisk from the boot.img starting with 8.0, but most devices can usually handle Magisk adding back a minimal cpio one.

I notice veritykeyid=id:dea7c3cdbbd6c82e4223dbc541aa83438bdbd989 in the 8.0 boot.img cmdline, I wonder if that could be having some effect, despite the fact that verity should be disabled if you've unlocked your bootloader.

I took @thekiefs' magisk_patched_without_recovery_option.img (since it's of course a boot.img, not a recovery.img so Magisk's Recovery Mode should not be set) and removed that string from the cmdline. Can someone see if it boots on the matching firmware?

image-new.zip

I also checked your .magisk config and it's:

KEEPVERITY=true
KEEPFORCEENCRYPT=false
RECOVERYMODE=false

So you might want to consider making a new magisk_patched.img with KEEPFORCEENCRTPT=true (via checking the equivalent in the latest Canary Magisk Manager install checkbox options) from the latest stock boot.img, since that could also be the actual reason it's not working.

Lastly, since the device probably has a recovery partition, you can also patch a dump of it using Recovery Mode and try booting to it instead per the Samsung instructions on the Magisk wiki.

[elliwigy]

I recently got a 2019 shield tv pro and can confirm issues. when I edit the boot and recovery images my cmdline doesnt have a verity key however.

I tried patching both with magisk including various options selected and with no options selected with no luck, just sits on nvidia logo. ive also tried fastboot booting the images with no luck..

i also tried manually patching with both magiskboot and sukernel binaries with same results..

ive also tried disabling verification and verity (should be unlocked anyways) by fastboot flash vbmeta vbmeta.img --disable-verification and --disable-verity as well as fastboot oem disable-verity (old command i know but reported okay in fastboot)

unfortunately without source yet theres only one expiramental twrp which works for the most part with fastboot boot but it is unable to mount system so flashing any zips fails.. adb root shell,mtp and other stuff works..

i even used twrp root shell to manually install root which also failed to boot and hangsat same place..

i did however manage to backup every partition in twrp root shell before hand which i already had to use to recover the device during testing

i got some logs at home which i can upload later.. its hard to get logs of it trying to boot however because after any attempts device doesnt boot.. which logs are best to upload? recovery logs?

[elliwigy]

also if it matters the new firmware i believe is 8.1.1 update which is android 9

[elliwigy]

also to add yes, there is no ramdisk in boot.img but is in recovery.img.. im still trying to figure out this whole SAR thing but i believe also that system might have its own root files..

maybe trying to install system root in daemon mode to vendor partition might work?

or maybe like my note 9 combo root by having an init script install root to /sbin after device is already booting?

[osm0sis]

For A-only SAR devices that don't accept the cpio ramdisk magiskboot creates, the only option is to patch the recovery partition instead.

You need to dump the stock recovery partition to recovery.img, then use the latest Magisk Manager Canary to patch it, with likely all 3 Advanced Settings checked for stock ROM.

Then you need to flash that recovery.img back to the recovery partition and then always only reboot the device to recovery.

[rootfan]

@osm0sis, Magisk doesn't work on the Shield TV because its system partition isn't named system, it's named app. The Magisk init infinitely loops in setup_block looking for system. If you set it to look for app in SARInit::early_mount everything works fine.

[osm0sis]

Oh snap. Old Tegra naming still in effect? Can you guys supply the output of ls -alR /dev/block ?

Edit: Nevermind, found what I need!

:/ $ mount | grep by-name
/dev/block/platform/sdhci-tegra.3/by-name/RP3 on /mnt/vendor/wifi_config type ext4 (rw,seclabel,nosuid,nodev,noexec,noatime,data=ordered)
/dev/block/platform/sdhci-tegra.3/by-name/FCT on /mnt/vendor/factory type ext4 (rw,seclabel,noatime,data=ordered)
/dev/block/platform/sdhci-tegra.3/by-name/CAC on /cache type ext4 (rw,seclabel,nosuid,nodev,noatime,nodelalloc,data=ordered)
/dev/block/platform/sdhci-tegra.3/by-name/UDA on /data type ext4 (rw,seclabel,nosuid,nodev,noatime,nobarrier,noauto_da_alloc,resgid=1065,data=ordered)
:/ $

500gb model fstab:
/dev/block/platform/tegra-sata.0/by-name/APP           /system             ext4      noatime,ro                                                           wait
/dev/block/platform/tegra-sata.0/by-name/CAC           /cache              ext4      noatime,nosuid,nodev,data=ordered,nodelalloc,barrier=1               wait
/dev/block/platform/tegra-sata.0/by-name/LNX           /boot               emmc      defaults                                                             defaults
/dev/block/platform/tegra-sata.0/by-name/MSC           /misc               emmc      defaults                                                             defaults
/dev/block/platform/tegra-sata.0/by-name/UDA           /data               ext4      noatime,nosuid,nodev,data=ordered,auto_da_alloc,discard,barrier=1    wait,check,encryptable=/dev/block/platform/tegra-sata.0/by-name/MDA
/dev/block/platform/tegra-sata.0/by-name/USP           /staging            emmc      defaults                                                             defaults
/dev/block/platform/tegra-sata.0/by-name/MDA           /metadata           emmc      defaults                                                             defaults
/dev/block/platform/tegra-sata.0/by-name/SOS           /recovery           emmc      defaults                                                             defaults

16gb model fstab:
/dev/block/platform/sdhci-tegra.3/by-name/APP           /system             ext4      ro                                                     wait
/dev/block/platform/sdhci-tegra.3/by-name/CAC           /cache              ext4      noatime,nosuid,nodev,data=writeback,nodelalloc         wait
/dev/block/platform/sdhci-tegra.3/by-name/LNX           /boot               emmc      defaults                                               defaults
/dev/block/platform/sdhci-tegra.3/by-name/MSC           /misc               emmc      defaults                                               defaults
/dev/block/platform/sdhci-tegra.3/by-name/UDA           /data               ext4      noatime,nosuid,nodev,data=writeback,noauto_da_alloc    wait,check,encryptable=/dev/block/platform/sdhci-tegra.3/by-name/MDA
/dev/block/platform/sdhci-tegra.3/by-name/USP           /staging            emmc      defaults                                               defaults
/dev/block/platform/sdhci-tegra.3/by-name/MDA           /metadata           emmc      defaults                                               defaults
/dev/block/platform/sdhci-tegra.3/by-name/SOS           /recovery           emmc      defaults                                               defaults

I'll see if I can figure it out, and if not me then @topjohnwu definitely can. :+1:

Edit 2: Hmm yeah that'll need @topjohnwu. I'm not sure where/how would be best to add searching for APP as an alternate partition name here: https://github.com/topjohnwu/Magisk/blob/master/native/jni/init/early_mount.cpp#L202

[elliwigy]

Separate issue on 2019 models.. the TLK dolby service checks verified boot state and hangs on boot animation when magisk sets boot state to green.

If you have an adb root shell on the bootani then changing verified boot state to orange using resetprop loads the OS fully.

Currently I am using a module to change boot state back to orange to allow fully booting then back to greenstate once loaded to pass safetynet

[mbjurstrom]

I can confirm the the fix in https://github.com/topjohnwu/Magisk/commit/476b61c4c9675b87d027aa43f559c360affbc5c9 fixed the issue on my 2017 pro version

[thekiefs]

@topjohnwu @mbjurstrom @osm0sis @elliwigy: I don't think this is fixed for Nvidia Shield 2017 8.0.1.

I tried updating Magisk from 20.1 to 20.3 in Magisk Manager, made sure "Preserve AVB 2.0/dm-verify" was checked, then hit "Update" and "Direct Install", but got stuck on the Nvidia Logo again. To fix it I had to flash the image I found here and then install Magisk Manager again, but this still has the old version of Magisk 20.1

[osm0sis]

Did you see @elliwigy's post above about props? If it's not that then I would guess there's another issue now. Open a new one and provide as much info as you can, including what Canary it started with.

[thekiefs]

Yes I saw his post, but I'm not sure how to do what he is talking about.

Ok, I'll open up a new one. I think this issue has existed since Magisk 19.0 and Shield 7.2.3.

[osm0sis]

Don't open a new one yet if you haven't tried @elliwigy's workaround (which is outside Magisk's scope to implement internally)

[thekiefs]

@elliwigy can you describe what you did in further detail so I can replicate? I'm not sure this will help since I don't have adb on the boot animation because I'm stuck at the Nvidia logo.

[elliwigy]

I also cannot update using any regular magisk.zip or through the app without it bootlooping..

it seems to only boot using the modified magisk.zip that rootfan made in the xda thread.

If I fastboot boot stock boot.img then it starts of course without root..

I am not sure why.. it appears to install fine but boot loops.. i then tried flashing dtb and vbmeta/vbmeta_skip to no avail..

seems to be same issue we've had all along at least on the 2019 nstv pro..

using the modified magisk.zip steps on stock os are:

adb reboot bootloader fastboot boot twrp.img mount all that it lets you within twrp mount option adb remount all adb shell rm /system adb shell mkdir /system adb shell mount -o bind /system_root/system /system adb push modified_magisk.zip Twrp install the magisk.zip you just pushed adb reboot bootloader fastboot flash dtb mdarcy_dtb.img fastboot flash vbmeta vbmeta_skip.img fastboot -w fastboot reboot Once booted you might need to manually install the magisk manager apk, test by doing adb shell then su.. as root shell "mount -o rw,remount /" Open magisk manager and install w.e it makes you install to finish installing magisk and reboot When reboots will hang on bootanimation but you should have adb root shell that you previously authorized.. adb shell su resetprop ro.boot.verifiedbootstate orange device should boot up with magisk properly installed.. After this i use a magisk module to automatically change bootstate to orange on a reboot so i dont have to keep using adb..

dunno y this is what it is lol.. lotssteps but once set up its stable.. just cant update magisk and if u do a firmware update u need to reinstall this way (might be able to not wipe but if bootloops or some other issue and reflashing dtb n vbmeta doesnt work then wipe is most likely needed)

[elliwigy]

@elliwigy can you describe what you did in further detail so I can replicate? I'm not sure this will help since I don't have adb on the boot animation because I'm stuck at the Nvidia logo.

try fastboot flashing dtb and vbmeta.. if still dont work then try fastboot -w to wipe the device..

before magisk manager does its install thing on a fresh install is when you need to make sure u get adb authorized with root permissions or else you wont be able to use resetprop once u do get to the bootanimation and have to start all over lol

[osm0sis]

@elliwigy, where @mbjurstrom confirmed the earlier fix, any idea what broke it again? Can one of you try the latest Canaries and see where it stops working again?

[osm0sis]

I guess we can pick it up from there in #2243 now.

[elliwigy]

Did you see @elliwigy's post above about props? If it's not that then I would guess there's another issue now. Open a new one and provide as much info as you can, including what Canary it started with.

i believe its still the same issue that wasnt reaolved.

the resetprop is when device is stuck on the bootanimation (using a modified magisk zip from xda)

using any of the canary or regular magisk.zip either fresh or updating magisk hangs at the nvidia logo/splash screen then boot loops from there.. no ability to get an adb shell..

this is even if you can get it to install properly.. twrp still complains of mount issues/errors unless you first fix the system folder and remount it..

not sure if its normal but system is at /system_root/system and /system is symlinked from the system_root/system dir normally and if left this way the zips cant mount system.. but bind mounting it over /system and remounting rw then zips flash but of course theres some other issue beyond this that causes bootloop still..

fyi im a noob when it comes to twrp and magisk as most all my devices are locked usa variants lol

hopefully someone with more know how will chime in

[elliwigy]

@elliwigy, where @mbjurstrom confirmed the earlier fix, any idea what broke it again? Can one of you try the latest Canaries and see where it stops working again?

I am on a 2019 nstv pro, not sure if it was fixed in his 2017 variant but it wasnt in 2019 model. I am also not sure what version he used or what steps he took.

My workaround was using a modified zip from xda..

Woukd it help if I link it here so you or someone can look at it and see what he did that makes it work? I think theres more at faukt here than the mount points.. manually mounting i can get the zips to flash but from there is a bootloop.

[osm0sis]

Hmm, but then how did @mbjurstrom report it as resolved? Support for the Tegra APP system partition was added in https://github.com/topjohnwu/Magisk/commit/476b61c4c9675b87d027aa43f559c360affbc5c9

[elliwigy]

@elliwigy, where @mbjurstrom confirmed the earlier fix, any idea what broke it again? Can one of you try the latest Canaries and see where it stops working again?

i will try to get more logs and details here in a while if someone doesnt beat me to it. I did try with latest stable and latest canary builds earlier today..

[elliwigy]

Hmm, but then how did @mbjurstrom report it as resolved? Support for the Tegra APP system partition was added in 476b61c

It might have fixed the mounting issues when flashing magisk via twrp but still bootloops at least in my case (and apparently others).. I wonder if it could be an issue with twrp itself? or maybe something to do with vbmeta or dtb? I get similar bootloops for example if I dont wipe at times using even the modified magisk.zip..

[elliwigy]

what would be the best way to get logs of the bootloop? it loops before can use adb logcat

[osm0sis]

You need an adb insecure kernel and check the dmesg.

[elliwigy]

You need an adb insecure kernel and check the dmesg.

ok.. i will flash the developer firmware later then try n get u more details

[osm0sis]

Not sure if it will resolve everything, but the Magisk zip might not support the APP or CAC partition naming. I think the idea if that's true was you would patch the stock boot.img in the latest Magisk Manager then fastboot flash it.

Can someone try that?

[elliwigy]

Not sure if it will resolve everything, but the Magisk zip might not support the APP or CAC partition naming. I think the idea if that's true was you would patch the stock boot.img in the latest Magisk Manager then fastboot flash it.

Can someone try that?

i cant recall if i tried that yet or not lol.. when it installs in twrp i believe it uses /dev/block/mmcblk0p17 or something rather.. ill confirm here in a while lol.. was at it all AM so taking a break.. just picked up a SM-G977P courtesy of samsung lol

[elliwigy]

i say someone with the funds should just buy you a 2019 nstv pro lol would be easier 😂

[mbjurstrom]

On my 2017 Pro version of the Nvida shield (foster_e_hdd)

I was currently running the following cannary versions that worked fine for me. Magisk 20.2-11b7076a (20109) Magisk Manager 7.4.1-291c718b

Then did a direct uppdate in magisk manager to Magisk Manager 7.5.2-0b41cd85 Magisk 20.4-b39f4+75 (20302)

After that I also seem to get a boot loop on the nvidia logo.

When I try to boot twrp from fasboot to either disable all magisk modules, uninstall magisk or restore a nandroid backup I only get this error downloading 'boot.img'... FAILED (command write failed (No error)) finished. total time: 0.007s

I did a fresh nandroid backup before I updated magisk and then I could enter TWRP from fastboot just fine.

Edit: after a reboot of the shield again I managed to boot twrp successfully.

[rootfan]

@osm0sis the call to setup_block needs to be passed false here: https://github.com/topjohnwu/Magisk/blob/master/native/jni/init/mount.cpp#L214

[osm0sis]

This may help too: https://github.com/topjohnwu/Magisk/pull/2248

Edit: I'll add your fix @rootfan. Thanks! Good eye yet again! :+1:

[hamedsbt]

@elliwigy, where @mbjurstrom confirmed the earlier fix, any idea what broke it again? Can one of you try the latest Canaries and see where it stops working again?

I am on a 2019 nstv pro, not sure if it was fixed in his 2017 variant but it wasnt in 2019 model. I am also not sure what version he used or what steps he took.

My workaround was using a modified zip from xda..

Woukd it help if I link it here so you or someone can look at it and see what he did that makes it work? I think theres more at faukt here than the mount points.. manually mounting i can get the zips to flash but from there is a bootloop.

I have 2019 nstv pro with unlocked-boot-loader, I'm researching about rooting process... Can you share modified zip and xda thread link please? I found this: magisk_patched-8.0.2.zip did you test it? Are you have to "resetprop ro.boot.verifiedbootstate orange" on every boot? or once is enough forever?