Better Mobile App

S9+ Exynos Root, Kernel and Odin/TWRP Update Questions

Hello, seems things have become quite complicated and I really need some clarifications, here are my questions.
1 When knox was tripped a yellow triangle used to appear on boot, has this finally stopped? Has something else taken it's place (either visual or sound)?
2 Is a custom kernel still necessary because of Real-time Kernel Protection or does TWRP and no-verity patch take care of this too (I am using August 1 stock kernel)?
^ link: https://forum.xda-developers.com/ga...cross-device-development/twrp-exynos-t3763464
Does this patch also include OEM unlock fix from dr.ketan? https://forum.xda-developers.com/galaxy-s9-plus/how-to/guide-root-s9-oem-fix-t3763974
3 Google started banning non certified devices from using gapps (including google play) unless they are registered here: https://www.google.com/android/uncertified/
Will flashing TWRP, the above patches and Magisk cause this or will the device appear as certified? If it doesn't will a custom kernel avoid this? I'd like to be able to
integrate updated versions of system apps into the system partition so there will only be one copy of the app on device (the updated), plus add remove system apps,
will this cause problems with device certification and or Safety Net even if I use the patches? Will this also happen if I use a custom kernel? I want to keep my device as
stock as possible btw.
4 How should I update to newest firmware when it comes out? Flash the new firmware using Odin with home csc then flash all over again TWRP, the patches and Magisk? [and custom kernel if inevitable]
If so how can I tell whether the patches will work or not on the new firmware? Can an updated bootloader or a new update in general make TWRP fail to flash in Odin?
If frp comes back due to the new firmware, in conjuction with the gapps certification issue and because the phone may not work with the new update I will format or restore, will I be locked out of the
device unless I get to pc and register it to google (using adb to get the info) to pass the setup or flash stock again?
Thanks a lot in advance for any help.

I bump!

Surely there are people here who can answer at least some of the questions. Anyone who is rooted could at least answer question 1...
Edit: I decided since I am going to root in the end anyway might as well just do it, so I'll answer most of my own questions now in case someone else wants to know before root.
1 there are no more warnings (Samsung stopped putting the yellow triangle on boot screen to indicate tripped knox and nothing else took it's place). The only indicator is waranty void in download mode.
2,3,4 I decided to use SoLdieR9312s rom(which is complete stock rom incl stock kernel(or another) with extras like magisk included). The stock kernel from this rom is definitely cracked properly(for RKP protection), the device is certified in google play and I can change system apps as well without breaking it along with safety net.
It is still unknown to me whether or not the patches take care of this, I just assumed that they do not just to be safe.
Updates can be obtained from custom rom page :
https://forum.xda-developers.com/ga...g96xf-fd-n-stock-rom-soldier9312-1-0-t3771346
and flashed with TWRP. This guarantees for uodates that frp will remain dead and kernel will remain patched I believe.

Shield TV 7.2 developer update, downgrade and other things

Important notice! : iLLNiSS made me aware of a serious risk!
If you play with the firmwares manually and not with the flash all bat then DO NOT flash the blobs!
These are the actual bootloader files and stuffing up here will cause a hard brick!
I have to stress this out as it is serious thanks to not having working APX drivers a flshing programs for the Shield!
For starters, I uploaded a copy of the 7.2 developer firmware here:
7.2 developer ZIP on Dropbox
It is the full 1.1Gb update and not the 422mb block based one.
I have done some extensive tests since the first block based update wrecked my rooted Shield.
Some of it will end up in this post as info for everyone.
But lets start with what seems to be the problem for a lot of users right now who run a rooted Shield : Fixing the problem
A downgrade is officially not supported by Nvidia but my tests showed it works just fine if you only go back to the 7.1.
So far my tests showed differen sources for a Shield no longer working after the OTA.
1. The device had an unlocked bootloader and you got the 422mb block update.
This would have stuffed your bootloader and the Shield won't go past 1/4 on the progress bar for the update.
You are in luck as just flashing the 7.1 bootloader will fix it.
After that just dismiss the update and change the settings to manual updates.https://forum.xda-developers.com/editpost.php?do=editpost&p=78466377
2. Your device was already fully rooted and you got the full update that resulted in your Shield doing all sorts of thing but nothing properly anymore.
As long as your apps are still there and the Shield is still somhow usable you are lucky again.
A downgrade to 7.1 will fix it, I will explain the steps required further down.
3. You made bid mods, used Magisk or other rooting tools and now your Shield complains that your system is corrupt.
Bad luck if your bootloader is locked as you loose it all.
Lucky if the bootloader is unlocked as you might be able to keep most if not all during the downgrade.
General words of warning:
Even if your bootloader was unlocked from day one I can not garantee that the downgrade will keep all settings, apps, databases and so on.
For me it works fine as I kept all vital databases on external storage.
The procedures are all based on the developer firmware, on the stock firmware some things can still be done but then again you should not have more than software problems.
On the stock firmware the bootloader is locked by default and you can use some things required to owngrade due to the restrictions of a stock system.
General downgrade procedure for the developer firmware to get back to 7.1 :
If the update did get stuck on the progess bar early on and a reboot won't fix it so you can dismiss the update you just follow the steps.
If you can reboot into the 7.1 then just dismiss the update.
Trust issues or curruption warnings at boot but an otherwise working shield on 7.1 require to flash the 7.1 bootloader again.
In some cases it is possible to skip the corruption warning with a connected controller.
A reboot once you got to the homescreen will determine how bad it is.
Reboot goes fine: You are good.
Reboot keeps nagging with warnings other than the unlocked bootloader: Downgrade.
The downgrade is only required if you have problems or the Shield already runs on the 7.2!
In almost all other cases just flashing the 7.1 bootloader is sufficient.
Fixing a stuffed Shield by sideloading the 7.1 firmware while keping all apps and things:
Enable USB debugging and allow the connections for the computer if you still have access to the settings.
Otherwise you need to flash the 7.1 fresh and might loose vital things that need to install again.
Reboot into the stock recovery, if you use TWRP flashed on the Shield already then please flash the recovery from the 7.1 firmware first.
Hook up the controller and pressing A or B should get you into the normal recover screen past the dead droid.
ADB sideload XXX - where the xxx stands for the filename you have for the developer ZIP.
After the rebbot you should be back on your 7.1 homescreen and can dismiss the 7.2 update.
Also change the update settings while at it
Fixing a fully stuffed Shield and then downgrading to the 7.1 firmware:
If all went down south then you tried a few things and realised there is no way to get your data back and even less to prevent the 7.2 update.
Installing the 7.1 from scratch forces the setup wizard and before you can get anywhere you need to update to 7.2
So much easier to use the linked 7.2 update from above until Nvidia provides it on their download servers.
A vital thing to do is to keep the bootloader locked!!
Same for NOT having TWRP installed on the Shield!
If in doubt flash the 7.1 boot and recovery partitions first then go back into the stock recovery and wipe the cache.
Coming from a stock developer firmware with just an unlocked bootloader you are good to go.
Sideload the 7.2 update.
Unplug when the reboot starts and go into fastboot to lock the bootloader: Fastboot oem lock.
This is a vital step as the new kernel otherwise could ruin the completion of the install.
Ignore the double hassles and go through the wizard so you can enter the settings again to enable the developer mode and USB debugging.
Unlock the bootloader so you can do it all again Last time I promise!
Once you have both the bootloader unlocked AND the Shield in a usable condition past the setup wizard:
Reboot into the recovery to sideload the 7.1 firmware.
After the next reboot you are back on the 7.1 homescreen drirectly and can dismiss the update.
Possible tricks that can help you to prevent the installation of the 7.2 update if you come from a fresh 7.1 install instead:
Don't allow the reboot and instead use ADB to reboot into the recovery.
Wipe the cache - this will remove the scripts required to start the update after the reboot.
The next reboot should bring you back to the homescreen where you can stop the new download of the update and change the update settings.
TWRP, full root and new security measures in 7.2:
The 4.9 kernel used also makes use of a Fstab configuration that no longer includes the system partition.
This and other restrictions currently make the normal use of Magisk impossible.
With no system partition available to Magisk the changes in the boot process come to a stop and the Shield gets stuck during boot.
The added restrictions also make it very, very hard to manually add SU and busybox.
At least without getting the currupt system popup on every boot and finding out that a lot of things still don't work properly.
A final 7.2 firmware is said to be available on the download servers today.
If this final is no different from the current OTA then it will not be of any use for users requiring a fully rooted devices.
With the stock recovery still using the old kernel all attempts to use recovery functions to alter the system for rooting fail as well.
Can't blame the company as all this is part of Google revamp og security and closing backdoors and loopholes for possible attackers.
Personally I think it is Googles way of keeping control over devices they don't actually own.
Anyways I did make some little progress:
Plans for the near future:
Security is good but I like to know what my Android devices are doing and especially what Google likes to collect if I can not find ways to stop it.
So I will not try to use any backdoors or secrurity vulnerablilites in the new kernel to allow a full root on my Shield.
I will go the route I know best: Manual labour
The bootloader is already fixed to allow what we are used to from previous developer firmwares.
As SU and busybox can not be manually entered at this stage I will try to include them directly in the stock 7.1 firmware while renaming the OTA updater to have it a bit easier.
Assuming that works as expected I will do the same on the 7.2 firmware and compare the corresponding scripts and so on.
If the standard SU still works on an "unlocked" 7.2 I should be able to adjust the Magisk ZIP accordingly to implement it into the bootloader.
Only need to figure out if Magisk then has enough rights to work and the system is still happy to accept the changes.
I noly have the 16Gb 2017 model to work with but since the bootloader seems to be same for all Shield models I think if it works then it should do so for all models.
In the meantime I hope the infos here will help some pople to get their shield back without the need to sent it in.
Update 25/12/18: I got TWRP working on 7.2
This is only true for the 2017 model though as I have only this for testing.
Currently creating a backup to the internal storage.
If the restore works then I will upload the new TWRP - for the said model only!
Give me a day or two to fix it for the other models too.
There is progress on the rooting front as well.
Created new scripts for my kitchen to be able to handle the new file_context thing.
A fully pre-rooted and totally unsecure (in terms of ABD, DM-verity and such) is already cooked, just did not dare yet to try it out as I have a real life job too.
As for the pre-rooted firmware:
Things have changed quite a bit with the new kernel in terms of "just adding SU or Magisk".
Magisk might see an update for this problem soon, SU however seems to tally fail on two levels.
So far I was unable to do a full install of the modded firmware.
Flashed all at once and the boot just hangs.
Bootloader, reboot, then the rest seems to work.
At least for the basic install of the system.
If I add SU and busybox the system still ends up with a corrup notice during boot and then it fails.
Tune in over the next few days for progress updates at the end of the thread.
Major developments will be added right here.
Just a matter of finding the last restrictions.
Once that is done Magisk should be possible as well.
Ok, TWRP boot fine, does a backup but fails to restore the system to a bootable state.
Will now check if at least installing a zip works.
Well, it did not, so TWRP has to wait a few more days
I edited post 3 with instructions on how to "unbrick" and go back to 7.1.
Update 27/12/18: A friend of mine found some intersting stuff.
A 7.2 firmware offering a pure Android without any TV stuff but also a full root possible.
I hope he will share his finding here soon or allow me post it all in his name.
For now lets just say: It really works if done the rght way!
Full write rights, installing Magisk modules and all.
All thanks to an undocumented flaw in the device security structures, so even without any hidden backdoors or such LOL
Update: Whiteak was so kind to provide a working root solution in post 36, please check it.
I can confirm it is working as promised.
So the credits for this one go to Whiteak and the credits for the idea and use of the DTB file to Zulu99 - great idea!
To prevent any problems I advise to perform a factory wipe after the install and before the first boot.
Switch to the stock recovery to do this then boot as normal an enjoy.
A complete firmware with the required mods is sitting on my PC just waiting for idiot behing the keyboard to figure out how to pack it properly for flashing.
Once that problem is sorted and also TWRP working again things will get a lot easier.
Annoying update:
I was not able to confirm my web findings on the 7.2 firmwares bootloader but it seems other devices running the same type of kernel and bootloader and a bit lost now.
AVB is fully implemented on the latest level.
(Again I am working on confirming or denying these findings!)
This means any alteration to vital parts of the system will fail with a corruption warning or worse.
Custom recovery access is limited if not fully restricted.
But even if it works you still need a firmware to flash that either is able to disable all this crap, hoping the bootloader alone will allow it, or
to hope Nvidia will provide a future bootloader update with these restrictions removed.
We can not downgrade the bootloader and even if there is some old one out there that would actually be flashable the risk is high to end with a brick anyway.
The DTB, at least in my tests gives us the required system wide write access but I have no information about the AVM verfified boot other than that Zulu99's firmware works.
But if it was compiled with the NVidia developer suite then it will be signed accordingly so the bootloader accepts it.
Could not find any info on how his firmware was actually created.
It gives me the hope though that once I have a fully working TWRP again that my modded 7.2 will work as expected and with no restrictions anymore.

Thanks for the info.

Edit: Will use this post to list options to recover the Shield is all seems lost.
As a result of far too much rom cooking and mods I needed a 100% working way to recover the Shield in case things turn very ugly.
So lets sum up what I define as very ugly when playing with firmwares:
1. Firmware installed but the Shield just hangs on the logo.
2. Firmware installed and now the system is corrupt and even it is boots it takes forever to get around the nag screens.
3. Firmware downgrade attempted but now the Shield won't even boot anymore.
4. Anything that would qualify for a soft brick.
My worst case when I only got a flashing white screen after trying to restore a TWRP backup under 7.2.
There any many way that work for a variety of boot problems but it takes too long to list all cases I encountered with a list of fixes that work or a comment that only the below way works.
So just to be clear here: This is not for any recovery purpose other than fixing what can't be fixed through a factory reset or fresh flashing of the firmware!
1. Get the Shield into Fastboot mode: Connect wired controller and male to male USB cable.
2. Power the Shield up while holding A and B on the controller.
Keep holding until you see the fastboot menu on the screen.
3. Install the 7.1 recovery firmware for your Shield type after unpacking it.
With Fastboot connection working type: flash-all.bat and hit enter.
4. Keep an eye on the progess!
5. Once the Shield is finnished and reboots, hold the A and B buttons on the controller again to enter fastboot mode!
Do not let the Shield boot up other than into the fastboot mode!
6. Lock the bootloader! Fastboot oem lock
Confirm with the controller, then go down and select the recovery kernel.
7. Once the dead droid is on the screen press B on the controller to enter the real recovery.
If B does not work try A
8. Select the factory reset option to wipe all!
9. Once the wipe is done you can boot into 7.1 as normal again.
10. With a bit of chance you might even get directly to the homescreen if the previous setup was completed.
If you need the full seup wizard again and are forced to update to 7.2 then at least the update will work fine this time around.
In case you desire to go back to the 7.1:
If you just finnished the above only to end with the 7.2 then set it up and flash the 7.1 - you won't get the setup wizard again and can skip the update.
If you are on a working 7.2 that was update the OTA way but want to go back:
1. Install the 7.1 firmware.
2. Lock the bootloader.
3. Boot and then skip the update to 7.2.

Any idea what to do if the Shield sticks at the NVidia logo when you select Recovery from Fastboot? I reflashed boot and got the same result.

psycho_asylum said:
Any idea what to do if the Shield sticks at the NVidia logo when you select Recovery from Fastboot? I reflashed boot and got the same result.
Click to expand...
Click to collapse
It won't work from fastboot.
Fastboot operates on a different level and calling the recovery from there lets it end up in nowhere with no access to the system.
You need to boot into recovery through ADB as (for the new model) without a power button and usable hardware buttons we can't get into it otherwise.
Having said that, the fastboot way should still work with an unmodified bootloader.
When the dead droid is on the screen the recovery should be available after pressing the A button on the wired up controller.
But during my tests on 7.2 it did not always work, so you might have to try a few times and also try the B button.

Downunder35m said:
It won't work from fastboot.
Fastboot operates on a different level and calling the recovery from there lets it end up in nowhere with no access to the system.
You need to boot into recovery through ADB as (for the new model) without a power button and usable hardware buttons we can't get into it otherwise.
Having said that, the fastboot way should still work with an unmodified bootloader.
When the dead droid is on the screen the recovery should be available after pressing the A button on the wired up controller.
But during my tests on 7.2 it did not always work, so you might have to try a few times and also try the B button.
Click to expand...
Click to collapse
I have not been able to get to the dead droid screen.

Downunder35m said:
For starters, I uploaded a copy of the 7.2 developer firmware here:
7.2 developer ZIP on Dropbox
It is the full 1.1Gb update and not the 422mb block based one.
(snip)
Click to expand...
Click to collapse
Thanks for posting this, but please note that this firmware is only for the 2017 16GB model and cannot be used with a 2015 or Pro model.

I just got a 7.2.1 update that forced me to update. Wouldn't give me an option to skip it... As soon as I turned on my Shield, it said something about the 7.2.1 update and then rebooted and installed.
I was holding off on updating too so I didn't lose root. Now I'm unrooted and am unable to get Magisk working again until I can get my hands on a 7.2.1 bootloader... Bleh.

Weird, I am not getting the 7.2.1 at all here.
And since yesterday the OTA only tries the block based but not the full image.

AthieN said:
I just got a 7.2.1 update that forced me to update. Wouldn't give me an option to skip it... As soon as I turned on my Shield, it said something about the 7.2.1 update and then rebooted and installed.
I was holding off on updating too so I didn't lose root. Now I'm unrooted and am unable to get Magisk working again until I can get my hands on a 7.2.1 bootloader... Bleh.
Click to expand...
Click to collapse
I was able to downgrade using the 7.2 image after setting up the device on 7.2.1 OTA just make sure you disable automatic updates

Thanks downunder this kind of in-depth info is always appriciated man........i like to learn these kind of things, having bits here and bits there gives a better picture of the whole, while also giving us upto date current info.
Thanks for taking the time to write this :good:
---------- Post added at 07:35 AM ---------- Previous post was at 07:27 AM ----------
Edit
Hi downunder, could you confirm i have this correctly
With no access to fastboot thus no twrp or root, are you implying, assuming your able to inject root into stock firmware, that, i'd be able to flash this stock+root rom in STOCK recovery, which i do have access to?
Edit: im under the impression that stock firmware zips are checked by stock recoveries, so modifying a stock firmware zip tends to fail this check and thus wont install/flash.......which makes me think im misunderstanding here......or just hoping im not
If so, im interested
Edit
i just read your second post which near enought answers my curiousity, so that'll teach me to read beyond the first post before asking answered questions ........even if the post excites me............ahhh, who am i kidding, ill probabably do it again........the equivelancy of a mental post boner........not controllable
Sorry for the disgusting analogy

SyberHexen said:
I was able to downgrade using the 7.2 image after setting up the device on 7.2.1 OTA just make sure you disable automatic updates
Click to expand...
Click to collapse
Did I understand it correctly? You successfully downgraded from 7.2.1 to 7.2?

ErAzOr2k said:
Did I understand it correctly? You successfully downgraded from 7.2.1 to 7.2?
Click to expand...
Click to collapse
Yes,
Just ran flash all from the bootloader. For the newly released 7.2 developer_rooted factory image.

As long as we don't jump to Android 9 we should always be able to downgrade through a full factory firmware.
Once Android 9 comes this might not work anymore due to the massive changes involved for the boot and system checks.
@banderos101: Unless you really did something bad you should always be able to enter the fastboot mode to flash a full firmware.
If I have some time after xmas I will have another look on the options of signing the zip properly or simply to fake it.
Biggest problem will be to generate the corret SHA checksums ince all is installed so I can use the same checksums in the check files.
The bootloader needs them to identify the system and vendor as genuine.
The system needs them to confirm all is actually unmodified as otherwise all fails to boot at some stage.
Modding a proper userdebug firmware is not really that hard, but converting a release version that also is a true and secure user release...
Lets just say that it won't be an easy task.
As it looks like the kernel is a keeper I might have to figure something out unless TopJohnWu won't enjoy a break after his exams and works on a way to get Magisk working with out kernel.
At least I figured out why the recovery trick isn't working for me.
The system partition is not mounted for the sideload mode.
To apply an update the stuff is written directly onto the partition, so no file level access left to play with and break things
In comparison you could say the shield is now like a modern car with keyless operation only.
You know you can start it with ease, if you only could the remote that you left in the drivers seat when you locked the door

SyberHexen said:
Yes,
Just ran flash all from the bootloader. For the newly released 7.2 developer_rooted factory image.
Click to expand...
Click to collapse
Just wondering what is achieved by going back to 7.2?

What do you mean "going back"?
Right now the 7.2 is the official and latest firmware.
I was unable to get my hands in the 7.2.1 but guess it might have been a testversion for certain models only.
I wasted a few hours trying to fix the system image.
First stage was only to get the basic "features" back, like full ADB support, enabling the support to use SU and busybox....
Just what is required to actually allow these nice apps we like to gain root to work.
This backfired badly as right after the start the bootloader complained about the system being corrup and no override to get past this worked.
So of course I then removed the known restrictions from the bootloader...
As you guessed it the damn thing then did not even boot at all, just jumped right into the (locked) recovery mode.
A half decent comparision with my last manual root on a tv box that was a success showed I still did the right things...
If anyone wondered why we needed a new bootloader for the support of smart helpers an some codes stuff:
We didn't as all this could have been done with the 7.1 bootloader as well.
Since my root attempts so far all ended either in disaster or in a root access that failed shortly after/corrupted the system, I took a look of the general kernel changes that were published for other devices.
Before I could find anything meaningful I realised the 4.9 kernel is actually a requirement for Android Pie!
With that info sorted I started digging inti the new "security" features Pie can offer.
I will try to keep it simple and to the stuff that actually concerns us for rooting purposes:
The new boot process with Pie is aimed at being secure from the hardware level up and all the way into the system partion once the boot is completed.
So the hardware checks if the bootloader is actually usable - we had that for a long time, nothing new.
Once the bootloader starts and reaches the point of actually getting somewhere, all partitions required will be checks by either a hash check or a trusted certificate gererated at boot time that is compared to the previous certificate.
Only if that is fine the bootloader will call upon the system and vendor partitions.
The handover of control from bootloader to the system is made far more secure as well.
SELinux is called early on to ensure that only trusted apps and tasks can work but also to all a new control level.
System related apps no longer run as root or with special permissions.
Instead every single app and service runs as its own user!
And under SELinux conditions this means nothing can access anything that it is not entitled to unless included as a user for the other app.
And with that sorted the vendor stuff is called to ensure all hardware and vendor related stuff is still genuine - this include the required certs but also the recovery and bootloader hash codes and certs.
So if something is fishy either SELinux will stop us or the vendor stuff will just overwrite it all.
Once we finally reach the system stage the recovery is checked if called from within the system, if fully implemented it could mean that using an official update on a modded firmware will delete all data as the encryption from the old system is declared invalid.
Sadly it does not stop there because even with full rigths (faked or otherwise) to access the system partition with write access we still can not just change things.
If something belongs to a user (a secure app) than a change will corrupt the system.
To overcome all this without using vulnerabilities that so far no one has found, a compatible userdebug release has to be created from the official user firmware.
DM-Verity needs to be disabled as well as all partition encryption stuff.
The bootloader needs to be adjusted to reflect these changes and the required turst certificates generated and included in both system and boot images.
The only problem here is that the kernel won't allow these changes unless it itself is a userdebug kernel.
After that it is only the little efford to go through about 60 different scripts to remove or redirect the calls for all boot and system security related things.
If then by some chance all this actually boots up and goes all the way into a usable homescreen the entire stuff needs to be secured again.
This time so that the final system has a correct cert and checksum that matches those we need to include in the bootloader.
Anyone knows how to gain full access to the trusted keystore on the 4.9 kernel? LOL
For the moment I don't really care about all the stuff above.
I would be happy to figue out what to make out of these new fstab configurations without the vital partitions listed.
The real aprtitions used have not changed but it is impossible include them in the fastab, doing so causes the bootloader to fail.
Presumably because the kernel realised we try to get around the verification process.
This and some other minor things are also the reason TWRP fails so badly, same for the stock recovery by the way.
Since TWRP is toy a lot us like:
TWRP and 7.2....
Without a system partion in the bootloader fastab TWRP can not mount it.
Same for all other things TWRP needs to mount as it simply does not have the right to access these areas.
To make things worse, we need system access to even start TWRP through fastboot.
So, now matter if we flash or start it through fastboot: The bootloader and system will realise our recovery does not match the checksum.
What does al this now mean in terms a lot more people are able to understand?
Let me try...
Imagine the 7.2 in a running version would be just some encrypted file with a lot of folders in it.
And like PGP or other encryptions software we know there is a private and a public key.
With the public key you can see a lot and use most the encrypted file - but only to a level that is required, nothing above your low level clearance.
For every attempt to write into this file or to make changes we need the private key.
If you follow so far then lets just say the recovery (stock) and Fastboot can be, to some extent, used for this access.
But since every folder in the encrypted file also uses private and public keys it is like tracing a tree.
Although it is getting too long, let me give you the example of just adding SU to the sytem partition:
Adding SU into the system image is no big deal.
Singing this image to get a usable key and including this key into the keystore is.
Assume we would just be able to do it....
SU needs to be called quite early in the boot process.
It then elevates the access level for certain things and also intercepts all root related requests from apps and services.
Except of course those that already had these rights by default.
Problem here is that adding the scripts we need plus changing some others means violating the tree of trust on the device and we get locked out.
Finding a spot to add the required rights for SU might be still possible.
On the other hand it will be impossible to give SU any rights or access to "trusted user" owned parts, files, folders, partitions....
The entire concept of SU just fails.
I will have to check how much of the new features are active in the 7.2 kernel that hinder us.
If I find enough it might be possible it enough to call for a Magisk update.
But I guess it is of little use for just one set of devices, so maybe once more devices on the 4.9 kernel fail to work with Magisk it will be easier to spot a usable pattern.
In case someone else if already working ona mdified system: Please let me know how you made it boot after the changes

Shield Tv 16 2017 - OTA update 7.2.1 Ready for updating
Im on 7.1. I have been waiting for 7.2 developer image, which is now out and just noticed 7.2.1 is available OTA. I'm really confused what to do. I want to keep root without bricking my Shield. Should I Stay with what I have as it is running well.
I am not even sure if it is safe trying to update to dev 7.2 image (or if I would want to) by hooking to computer and using ADB Fastboot tools.
Is there any good reason to update to 7.2 or 7.21? and if so how would I go about doing it? Which program is good for flashing developer images or OTA updates. I used to use flash-fire, which seems to be obsolete now and have heard TWRP is incompatible rooting with SU with OREO updates????
Should I play it safe and stay with what I have rather than experiment and end up with a brick? (wouldn't be the first time)
Anyone know if 7.21 is some-kind of bug fix?
Alot of questions but hope someone has some answers.
Thanks for any info.

"You know you can start it with ease, if you only could the remote that you left in the drivers seat when you locked the door "
My fastboot issue
Yeah, i think i busted the microusb somehow with a faulty usb hub, whenever i plug the usb to my raspberrypi/windows box(for adb/fastboot) now, it turns off all usb ports on the pi aswell as the windows box, even when the shield is unplugged, some sort of earth problem maybe
......all i have is adb over network, adb reboot bootloader simply reboots back to system, adb reboot recovery works though.
ive read that fastboot over tcp(ethernet) had been introduced a couple of android versions ago, but i dont think its been implemented in our shields
infact heres a link
https://www.androidpolice.com/2016/...-capabilities-wireless-flashing-isnt-far-off/
Looks like it needs to be specifically added onto a build
As far as you making a stock root build, if you can, that would awesome, more then awesome, but if it becomes more work then you thought dont worry about it, its not like their making it easy
Also, sounds like 4.9/future android is gonna be a nightmare for root......... having the ability to root so that the option is there to see whats going on in the background of these devices, these devices posessing cameras/microphones/old+latest sensors/personal files/personal info, which reside on our personal beings or in our homes........is just one reason why i dont want to see root go away

So what is the purpose of the developer image of 7.2?
Rather, I know the stated purpose of the developer image, but if it is locked in the way described it sounds like the benefit is negated for typical developers.
(e.g. sometimes I debug an application without permissions in order to benchmark or debug a problem).
For casual users of the shield, using ad blockers and whatnot, is there any benefit to derive from installing the developer rom over stock? Does "adb root" still work?
What is left as the difference. It doesn't sound like they produced a userdebug build of the OS.
Thanks

The 2 new updates are horrible. I have gone back to 7.1. They have crippled my shield. I'll wait for a new update.

Bootloop after flashing patched boot.img through Odin (SM-T860) Magisk V20

I tried rooting my Tab S6 Wifi (German, Snapdragon with unlockable bootloader) following this guide
unofficialtwrp.com/root-latest-samsung/
after another guide i found on xda left me with a vbmeta error to which i couldn´t find a solution (except maybe patching version 19.4 instead of 20, but the manager won´t let me choose and i don´t know how to do that manually).
SImply flashing stock firmware still works, but i´d really like it rooted. Is there something i need to do differently?
This isnt my first time rooting, it is however my first time being left with unanswered errors, so my experience is limited.
I can try to provide any information you might need.
Thank you for your time and patience.

Alternatively, if someone could provide me with a patched AP file that doesn´t cause the vbmeta error that fits my device, that would most likely work even better.

Root/Unroot frustrations

I'd like to keep this simple. I tried rooting and not a single tutorial on here has ended with root privileges for various reasons. I'm done with it. I flashed stock firmware in hopes of removing any trace of files that may have been altered during the various root tutorials I followed, but Samsung Pass says the device is still rooted.
What do I need to do to return to 100% stock?

noxarcana said:
I'd like to keep this simple. I tried rooting and not a single tutorial on here has ended with root privileges for various reasons. I'm done with it. I flashed stock firmware in hopes of removing any trace of files that may have been altered during the various root tutorials I followed, but Samsung Pass says the device is still rooted.
What do I need to do to return to 100% stock?
Click to expand...
Click to collapse
I assume you unlocked the bootloader. Try Relocking and flash the firmware again.
Weather that will work is anybodys guess.
Rooting is a pretty simple procedure I can't think of any reason it didn't work except user error.
This method works perfectly on T860.
***********************
https://forum-xda--developers-com.c...-to/root-guide-t860-root-twrp-method-t4095677

jhill110 said:
I assume you unlocked the bootloader. Try Relocking and flash the firmware again.
Weather that will work is anybodys guess.
Rooting is a pretty simple procedure I can't think of any reason it didn't work except user error.
Click to expand...
Click to collapse
Well, this isn't the first time I've rooted a device and I followed every step of every tutorial I found on here and, for some reason, it would not root. This is the first, and only, device I've had this much trouble with.
The tutorial for rooting without TWRP: I made the patched AP file and flashed it; however, I could not boot into recovery or download mode and it always stuck on the boot logo.
The tutorial for installing TWRP didn't have a link for the encryption disabler and the one I found did absolutely nothing and the folders in storage just showed as a string of numbers and letters.
Maybe, if someone could put together a full tutorial with the files being used within the tutorial, it would have worked.

noxarcana said:
Well, this isn't the first time I've rooted a device and I followed every step of every tutorial I found on here and, for some reason, it would not root. This is the first, and only, device I've had this much trouble with.
The tutorial for rooting without TWRP: I made the patched AP file and flashed it; however, I could not boot into recovery or download mode and it always stuck on the boot logo.
The tutorial for installing TWRP didn't have a link for the encryption disabler and the one I found did absolutely nothing and the folders in storage just showed as a string of numbers and letters.
Maybe, if someone could put together a full tutorial with the files being used within the tutorial, it would have worked.
Click to expand...
Click to collapse
Did you get the bootloader unlocked?
Unlocking the bootloader:
https://www.getdroidtips.com/how-to...to_Unlock_Bootloader_on_Samsung_Galaxy_Tab_S6
To get to download mode it's volume up and volume down then plug your pc into device. NOT POWER AND VOLUME DOWN. This can be a pain in the back side.
If you do it this way you'll get the option unlock / lock bootloader or go to bootloader mode.
If you follow the instructions perfectly and then follow the instructions for rooting it will work.
Move on to root.
ROOTING :
https://forum-xda--developers-com.c...-to/root-guide-t860-root-twrp-method-t4095677
AP SLOT = PATCHED FILE
BL SLOT = BL FILE
CP SLOT = CP FILE (T865) NOT T860... T860 HAS NO CP FILE
CSC SLOT =HOME CSC FILE
DON'T forget to setup WiFi before installing magisk manager. ^^^^^^^^^
Install TWRP.
TWRP :
https://forum-xda--developers-com.c...b-s6/development/recovery-twrp-3-3-1-t3975587
I hope this helps you out.
If you have anymore questions just ask.
Disable DM VERITY ENCRIPTION DISABLER
PATCHED ODIN

jhill110 said:
Did you get the bootloader unlocked?
Click to expand...
Click to collapse
Yep, bootloader unlock was easy. I'll give root another try with your steps in a couple of days when I'm off work. Sorry if I came across a bit aggressive in my previous posts; I have a tendency to do so even when I'm not frustrated.
This has been so frustrating to me because I know rooting is usually a simple process; as you said previously.

jhill110 said:
ROOTING :
https://forum-xda--developers-com.c...-to/root-guide-t860-root-twrp-method-t4095677
AP SLOT = PATCHED FILE
BL SLOT = BL FILE
CP SLOT = CP FILE (T865) NOT T860... T860 HAS NO CP FILE
CSC SLOT =HOME CSC FILE
DON'T forget to setup WiFi before installing magisk manager. ^^^^^^^^^
Click to expand...
Click to collapse
So, yea, I'm a bit late getting around to this. Sorry.
This is where things get hung up. Everything flashes just fine and I can even get into TWRP; however, when I try to boot the tablet i get the Galaxy Tab S6 screen, then the warning about the bootloader being unlocked, and back to the Galaxy Tab S6 screen but with a "unofficial software" warning....and repeat. It just boot loops and this is where I've since I started this thread.
Also, returning to stock doesn't completely remove root traces as I can't use Samsung Pass and I simply get a warning about the device seemingly being rooted even though it isn't.

If you installed TWRP, then you tripped Knox tripping Knox will permentally disable Samsung Pay as far as I'm aware. You'll never get it back, regardless of root or no root access.
Also, I'm not sure why you're installing TWRP AND trying to flash a Magisk patched OS. It's one or the other, you don't need to do both. Unless something has changed in Android 10?
If you're flashing TWRP, you just need to flash Magisk in TWRP(along with the other files!), no need to patch AP.

bartleby999 said:
If you installed TWRP, then you tripped Knox tripping Knox will permentally disable Samsung Pay as far as I'm aware. You'll never get it back, regardless of root or no root access.
Also, I'm not sure why you're installing TWRP AND trying to flash a Magisk patched OS. It's one or the other, you don't need to do both. Unless something has changed in Android 10?
If you're flashing TWRP, you just need to flash Magisk in TWRP(along with the other files!), no need to patch AP.
Click to expand...
Click to collapse
Not Samsung Pay, I couldn't care less about that, but Samsung Pass; I guess it looks for knox being tripped now too. That sucks, but I'll make do without it.
I was following the guides posted above. The root guide said to flash a Magisk patched OS and then there was a guide for installing TWRP. I never had this many issues or this much confusion with my 1st gen Tab S; maybe I just haven't kept as close of an eye on these things since I've been without a tablet for awhile before getting the Tab S6.
Anyway, for clarification, all I need to do is flash TWRP and then flash magisk from within TWRP? Or, just install the magisk apk after booting into Android?

noxarcana said:
Not Samsung Pay, I couldn't care less about that, but Samsung Pass; I guess it looks for knox being tripped now too. That sucks, but I'll make do without it.
I was following the guides posted above. The root guide said to flash a Magisk patched OS and then there was a guide for installing TWRP. I never had this many issues or this much confusion with my 1st gen Tab S; maybe I just haven't kept as close of an eye on these things since I've been without a tablet for awhile before getting the Tab S6.
Anyway, for clarification, all I need to do is flash TWRP and then flash magisk from within TWRP? Or, just install the magisk apk after booting into Android?
Click to expand...
Click to collapse
My bad for some reason I just read that as Samsung Pay. But yeah Samsung Pass also doesn't work with root, I'm not sure if that is permanent though as I've never used Samsung Pass, but did come across this thread https://forum.xda-developers.com/general/rooting-roms/samsung-pass-knox-tripped-devices-t3687977 it is possible to get some components of Knox to function again, (I have a working Secure Folder) so might be worth taking a look.
As for you question...
You should give this thread a good read... https://forum.xda-developers.com/galaxy-tab-s6/development/recovery-twrp-3-3-1-t3975587
Basic steps are... Unlock the bootloader and then boot into system and ensure it's unlocked in settings. You may need to connect to the web, I can't remember tbh
First you need to install TWRP, once that is done you need to reboot but YOU HAVE TO boot directly back into TWRP. You cannot boot into system, or TWRP will be overwritten by stock recovery and you'll need to start over again. Once TWRP is installed, boot into TWRP and format data then reboot recovery, flash Kernel then flash encryption disabler then unmount the system and flash Magisk 20.4 - Finally reboot to system.
I'd seriously and strongly suggest reading that TWRP thread to ensure things go smoothly.

bartleby999 said:
First you need to install TWRP, once that is done you need to reboot but YOU HAVE TO boot directly back into TWRP. You cannot boot into system, or TWRP will be overwritten by stock recovery and you'll need to start over again. Once TWRP is installed, boot into TWRP and format data then reboot recovery, flash Kernel then flash encryption disabler then unmount the system and flash Magisk 20.4 - Finally reboot to system.
I'd seriously and strongly suggest reading that TWRP thread to ensure things go smoothly.
Click to expand...
Click to collapse
I'll give those threads a thorough reading over tonight and tomorrow night while at work and then see if I can get this all sorted out Monday when I'm off. I remember Pass still working with root on the original Tab S so I'm hoping it hasn't changed.
Thanks for jumping in to try and help me with this. I'll update within a few days instead of months like my last update. ?

noxarcana said:
I'll give those threads a thorough reading over tonight and tomorrow night while at work and then see if I can get this all sorted out Monday when I'm off. I remember Pass still working with root on the original Tab S so I'm hoping it hasn't changed.
Thanks for jumping in to try and help me with this. I'll update within a few days instead of months like my last update. ?
Click to expand...
Click to collapse
It has definitely changed. Pass doesn't work on my Tab S6 and I'm rooted, I guess Knox is now integrated with alot of Samsung apps now. Not sure if it's possible or not to get it working again though, I've never bothered to research it as I don't need it for anything - But as I said, I got Secure Folder working again, so there's some hope for Pass I guess - That first thread I linked looked promising, but I only skimmed it, because frankly I'm not interested.
If you need anymore help, report back -I'll try my best. Also, the TWRP thread I linked is full of helpful people. :good:

bartleby999 said:
It has definitely changed. Pass doesn't work on my Tab S6 and I'm rooted, I guess Knox is now integrated with alot of Samsung apps now. Not sure if it's possible or not to get it working again though, I've never bothered to research it as I don't need it for anything - But as I said, I got Secure Folder working again, so there's some hope for Pass I guess - That first thread I linked looked promising, but I only skimmed it, because frankly I'm not interested.
If you need anymore help, report back -I'll try my best. Also, the TWRP thread I linked is full of helpful people. :good:
Click to expand...
Click to collapse
Perhaps I'm just not meant to have root with this device. Flashing that kernel causes Wifi not to work, but it does boot. Not flashing the kernel also booted, but I couldn't install Magisk Manager. Other than the bootloader still being unlocked, I'm back on stock firmware.

noxarcana said:
Perhaps I'm just not meant to have root with this device. Flashing that kernel causes Wifi not to work, but it does boot. Not flashing the kernel also booted, but I couldn't install Magisk Manager. Other than the bootloader still being unlocked, I'm back on stock firmware.
Click to expand...
Click to collapse
What firmware are you running?
I remember seeing something about one of the newer Kernels effecting WIFI on Android 10. Assume you're running that?
If that's the case, give the TWRP thread a browse - You maybe able to find an older version of the Kernel that'll work - As far as I'm aware, an older Kernel than what you currently installed will work, but a newer version than currently installed will possibly cause bootloop.
I can't help much with Android 10 specific stuff as I'm still running Android 9 because it's stable.

bartleby999 said:
What firmware are you running?
I remember seeing something about one of the newer Kernels effecting WIFI on Android 10. Assume you're running that?
If that's the case, give the TWRP thread a browse - You maybe able to find an older version of the Kernel that'll work - As far as I'm aware, an older Kernel than what you currently installed will work, but a newer version than currently installed will possibly cause bootloop.
I can't help much with Android 10 specific stuff as I'm still running Android 9 because it's stable.
Click to expand...
Click to collapse
I am definitely on the latest Android 10 update so I'll see if I can find an earlier version that will work. I'll see what I can find out on the TWRP thread.

noxarcana said:
I am definitely on the latest Android 10 update so I'll see if I can find an earlier version that will work. I'll see what I can find out on the TWRP thread.
Click to expand...
Click to collapse
If you can't find an older Kernel (I'm not sure there is one for Android 10), it may be the case that you'll need to wait for the Kernel to be updated.

bartleby999 said:
If you can't find an older Kernel (I'm not sure there is one for Android 10), it may be the case that you'll need to wait for the Kernel to be updated.
Click to expand...
Click to collapse
Yea, it looks like Samsung made some "wifi improvements" in OneUI 2.5 and that's causing some kernel issues preventing wifi from working. I think I could find a kernel fairly easily, but I think I'm just going to wait for a kernel update. If it never comes, I'll find an older kernel. Thanks for the help!

How To Guide [GN2200] simple recovery guide from fastboot + obtain root + more

in this thread i am going to outline the method i used to restore my device to may security patch after completely botching my current install after trying to root, on august security patch.
a major hand to PsYk0n4uT for the suggestions he's posted in response to my problems, giving me the ability to figure out what's really going on here amongst other things.
(this is compatible with metropcs branded devices, therefore is compatible with t-mobile branded devices and so on)
anyways.
download this may OTA i discovered somewhere online. (hint: if download quota is exceeded. make a copy to your gdrive, then put it in a folder. download the folder and you will bypass the quota)
the OTA will contain msmdownloadtool, but it is unusable in it's current form because it's an internal tool. you're gonna want to download this tool off github to help assist in decrypting the .ofp file and flashing it's complete contents over automatically.
extract the OTA zip, and place the tool from github in the same folder. if using linux, install the python requirements and if you're on windows, i would suggest replacing the adb/fastboot executables with current versions. probably shouldn't matter, but i did in this case.
put your phone into fastboot and run the tool. further instructions depending on OS, are on the repository's page.
after flashing i had to switch my active slot over to the prior inactive slot before i could boot.
now that you've got your device downgraded, get through the initial setup, set it up offline, and put your phone into power saving mode so it can't automatically update (just in case)
instead of using DSU sideloader to extract the files we need, we can use the same .ofp file that our images came from and extract its contents with this tool
install magisk, copy your boot image over, patch the boot image, return it back to your computer, and enter fastboot mode.
proceed to flash the boot image, and all 3 vbmeta images. (important: be sure to disable verification and disable verity when flashing your vbmetas)
???
profit
i hope this can help anyone that's got a paperweight for a device at the moment, and help anyone who wants to root their device without a bunch of possible nonsense. in turn, hoping this can accelerate any possible development with this device.
protip: after getting everything installed and set up, install the systemless debloater module in magisk and download de-bloater from f-droid. "remove" the update service application (com.oplus.romupdate) and the software update tab in settings will now think you're on the latest security patch and will prevent your device from accidentally being updated. unless you want that to happen.

mirrors:
[vngsm.vn] GN2200export_11_A.05_2022050718170202.zip | VietNam GSM Services
vngsmservices.com
OnePlus Nord N20 5G Flash File (Official Firmware) GSMMAFIA
OnePlus Nord N20 5G Qualcomm Snapdragon 695 5G Flash File available here with MSM download tool to download via Direct link.
www.gsmmafia.com
And no problem man. Im glad others are sharing their knowledge and experience here. I've been focused on other things trying to make some progress on the device but still having to learn a lot along the way.
Hopefully we will have custom recovery soon. Looking promising so far and the real devs have given more time than I could possibly ever expect towards a device they don't even own.
For anyone wanting to know more about the people that are doing the leg work check out the team at https://t.me/Android_General_Chat The devs work hard to make these things happen so if you wanna help the cause consider making a contribution to them.

dmtec said:
in this thread i am going to outline the method i used to restore my device to may security patch after completely botching my current install after trying to root, on august security patch.
a major hand to PsYk0n4uT for the suggestions he's posted in response to my problems, giving me the ability to figure out what's really going on here amongst other things.
oneplus seems to be weakly supporting this device because i tried to ask them again for the OTA (i mean, it's pulling from somewhere, right) and they told me that i'd need to send it into a service center for repair. what's the point of unlockable bootloaders if user error can't be corrected in some way.
(this is compatible with metropcs branded devices, therefore is compatible with t-mobile branded devices and so on)
anyways.
download this may OTA i discovered somewhere online. (hint: if download quota is exceeded. make a copy to your gdrive, then put it in a folder. download the folder and you will bypass the quota)
the OTA will contain msmdownloadtool, but it is unusable in it's current form because it's an internal tool. you're gonna want to download this tool off github to help assist in decrypting the .ofp file and flashing it's complete contents over automatically.
extract the OTA zip, and place the tool from github in the same folder. if using linux, install the python requirements and if you're on windows, i would suggest replacing the adb/fastboot executables with current versions. probably shouldn't matter, but i did in this case.
put your phone into fastboot and run the tool. further instructions depending on OS, are on the repository's page.
after flashing i had to switch my active slot over to the prior inactive slot before i could boot.
now that you've got your device downgraded, get through the initial setup, set it up offline, and put your phone into power saving mode so it can't automatically update (just in case)
instead of using DSU sideloader to extract the files we need, we can use the same .ofp file that our images came from and extract its contents with this tool
install magisk, copy your boot image over, patch the boot image, return it back to your computer, and enter fastboot mode.
proceed to flash the boot image, and all 3 vbmeta images. (important: be sure to disable verification and disable verity when flashing your vbmetas)
???
profit
i hope this can help anyone that's got a paperweight for a device at the moment, and help anyone who wants to root their device without a bunch of possible nonsense. in turn, hoping this can accelerate any possible development with this device.
protip: after getting everything installed and set up, install the systemless debloater module in magisk and download de-bloater from f-droid. "remove" the update service application (com.oplus.romupdate) and the software update tab in settings will now think you're on the latest security patch and will prevent your device from accidentally being updated. unless you want that to happen.
Click to expand...
Click to collapse
BROOOO you are EFFING AWESOME! MUCH LOVE!

bumping my own thread because people are being real extra after "bricking" their phones trying to get them working again

Really glad people are still working on this device. I've been away for a while and no longer have access to mine right now so just wanted to say thanks to those of you continuing the efforts

Careful with this. Windows Defender flagged a virus when I tried to download it.