This is still an unsolved mystery. Skip if you are here for an answer, continue reading if interested in the journey.

The high level problem

How can I root a stb, running Android 6.0.1 with no access to bootloader. I have access to recovery, but it accepts only vendor encrypted/signed update files. Adb via usb is not available, but can connect using wifi/lan when OS has booted. Have already tried most one-click apps.

But why root?

The Amazon Prime app on the settop box lags a lot many a times while Netflix and Youtube work perfectly fine. So, I thought of diagnosing the problem using adb logact and found every few seconds, few frames are getting skipped. To analyze the problem further, isolate bandwidth/resources problems vs app problem, wanted to root the device.
This is the first time, I am trying to root a device for which no existing solution is available. I have been trying to root for two weeks now, but no luck. . While the Amazon prime was the reason for this voyage, rooting will open new avenues.

About the device:

  • Sold by Airtel India under brand name Internet TV (Not IPTV)
  • Manufactured by LG Electronics. Model: SH960S-AT
  • LG has published the opensource components used here.
  • More details about the hardware here.
  • Android Lollypop, upgraded to Marshmallow 6.0.1
  • With March 2018 Android Security Update

 

Here is what all I have tried so far:

 

ADB

Device does not detect when connected using USB Male to Male cable. So, no ADB USB. However, I can connect ADB using Wifi. (adb connect IP). To be sure of the IP, I have configured my Router DHCP to assign a specific IP to the MAC I found in default.prop persist.sys.usb.config=none. My assumption, airtel has disabled adb via USB connection.

 

Bootloader
If I do a adb reboot bootloader, system restarts but gets stuck on the vendor logo.
In that state, I have tried many possible key combinations (power button on the box, several other buttons on the remote and usb keyboard), but it stays stuck there, until you pull the plug.
I have also tried many button combinations in power off state, no luck.
USB is still not recognized in this state, so no adb or fastboot.

 

Recovery
Doing adb reboot recovery restarts the system into the stock android recovery.
The same screen can be reached by following steps:
  • Unplug the box
  • Keep the power button pressed, plug in the device.
  • After the android logo comes, press Home from keyboard.

 

The following options are available:
Reboot to Bootloader: Same as above, gets stuck on vendor logo.
Apply update from Adb: Since usb connection/adb is not available, it just waits for a connection and times out. Adb using wifi/lan does not work. I assume, their drivers are not initialized in recovery.
Apply update from SD Card: I have copied the usual (su binary update.zip) to root of sd card. But it does not mount SD card properly. I have tried SD cards of different sizes, formats etc., no luck.

Apply update from USB: It was not recognized initially, but after going through recovery logs and trying several formats for the card, now it recognizes the card. I can select the zip file, but it shows Failed to map file. I assume it is not finding a vendor specific signature/encryption

 

One-click apps and other exploits
Have tried all the popular one-click apps, Kingroot, Framaroot, etc., no luck. I have also tried dirtycow exploit. But since the security update is March 2018, none of the known exploits work. I am yet to find any POC for fixes in April 2018 or later android security updates.

 

Update service:
One system app called OtaDownloaderApp.apk is probably used by the vendor to push OTA updates. Pulled the apk and disassembled it to find the url of the update file. Downloaded it to understand the structure and explore any other possibility. It does not seem like a normal .zip file and might be encrypted. I tried the above file as Apply Update from USB from Recovery, it installed the updates

 

Now, could there be a way to decrypt/modify the update file to include su? Still searching for an answer.

To add: Since the device is yet to be rooted, no way to extract the boot.img and patching.

Have a suggestion? Contribute to the discussion at xda-developers.