Nvidia Shield Tv Pro Recovery Image

[Roxanna Bornemann]

NVIDIAalso publishes binary "recovery images" for users wishing to revert to the stock NVIDIA OS. Download recovery images from the Download Center (unpack instructions are provided there; the linux package does not require a login).

Before attempting to flash a recovery image, you must have the lastest fastboot executable from the Android SDK (available here under the "Get just the command line tools" heading) installed on the host machine.

NVIDIA provides updated Windows USB drivers for developers having issues with the default Google adb or fastboot driver. If your machine is unable to detect SHIELD, download this driver and follow the instructions linked from the Download Center to install.

NVIDIA provides Windows USB drivers for developers having issues with the default Google adb or fastboot driver. If your machine is unable to detect SHIELD, download this driver and follow the instructions linked from the Download Center to install.

NVIDIA also publishes binary "recovery images" for users wishing to revert to factory or OTA images for the P1988 and P1988W. Download recovery images from the Download Center (unpack instructions are provided there; the linux package does not require a login).

Last week, Nvidia released recovery images for Nvidia Experience 9.0.0. The company has since removed the images from its website but it appears the links are still working, meaning you can try out the new software right now ahead of the stable rollout. Shield Experience 9.0.0 based on Android 11 will be available for the Shield TV 2019 Pro, Shield TV 2019, Shield TV 2017, Shield TV Pro 2015, and Shield TV 2015.

If you own any of the above devices and would like to try out the new update, we have provided recovery images below for you to manually install the update. Note that you'll need a PC with Fastboot and ADB binaries installed in order to flash the update. For step-by-step instructions on how to enter Fastboot mode on your Shield TV and flash a recovery image, check out Nvidia's documentation.

The new update is based on Android TV 11 and includes September 2021 security patches. Nvidia hasn't shared an official changelog for Shield Experience 9.0.0, so we don't know about what new features and user-facing changes the latest update has to offer.

As far as Android TV 11 changes are concerned, Nvidia Shield TV owners can look forward to many improvements including native support for controllers like the Nintendo Switch Pro, Steam Controller; low latency media decoding, a new Tuner Frame Framework, and more.

Attempting to go into recovery mode using the down volume key & the power button, usually brings me to the Nvidia boot screen, where the brightness increases after a few seconds but then it just sits there until it eventually reboots.

Then, after attempting to reflash the stock recovery.img that I got from here: Shield Open Source Drivers and Images it still gives me the a) red triangle and laying dead android or b) nvidia bootscreen that sits for a long time before rebooting.

I needed to figure out why the device was not booting and a UART console usually provided diagnostics information. Some devices (such as the Kindle) even have recovery options available over the serial port. A quick probing of suspicious looking pads on the logic board yielded no results but luckily, people in the Linux thread have already found the pins. I was able to solder some wires to the pins and get a serial console.

Unfortunately, there was no recovery option available in the console but from the logs I was able to understand the reason why the SHIELD TV no longer booted. I flashed a DTB (device tree blob) designed for an older version of cboot. Therefore, when cboot tries to setup some device with the wrong configuration, it ends up in a dead-loop.

Of these options, 1 is unavailable because the boot-loader is indeed valid (and signed) and the processor dies while already running that boot-loader. I spent some time with 2 by trying to short a random sampling of pads on the logic board while attempting to boot (with no luck). 3 is not an option because we need to run software. After chatting with famous Switch hacker @plutoo, he suggested I short out the eMMC while booting to force condition 1. This seemed like a promising route because I remember seeing some unfilled pads near the eMMC. I used a pin to short one of them to the shielding near it and saw the APX device show up on my computer. To make things less painful, I soldered a piece of wire to one of the pads and attached it to a pin I can easily ground.

Getting into APX mode was the first step. NVIDIA designed the USB RCM protocol to only accept signed messages on production fused devices. The key is held by the device manufacturer, which means that only NVIDIA factories are allowed to unbrick the SHIELD TV. However, a few years ago, some researchers discovered a vulnerability in the boot ROM USB stack in the same Tegra X1 chip used in the SHIELD TV and used it to hack the Nintendo Switch. This vulnerability can be exploited to run arbitrary code in the boot processor. The Reswitched team has released a tool to exploit this vulnerability and some other people have since modified the tool to debrick older Tegra devices.

Next, I needed the stock firmware to recover to. Luckily, NVIDIA provides stock recovery images for the SHIELD TV. I downloaded the 9.0.0 recovery image for my SHIELD TV (2015) and extracted the .zip file. Next, I had to extract two files from blob which contains the boot-loaders and other data. Opening the file in a hex editor, we see the name of the partitions in ASCII listed in order. By guessing and checking I discovered the structure for each entry is something like:

I only care about two entries: EBT (the cboot boot-loader used by tegrarcm) and DTB (the partition I corrupted) so there was no need to write a script. I hand-extracted EBT as shield-9.0.0-cboot.bin and both DTB as shield-9.0.0-dtb1.bin and shield-9.0.0-dtb2.bin.

Because the broken DTB I flashed was smaller than the working one, I was able to find the remaining bytes of the original DTB in the dump. I used this to match the bytes up to shield-9.0.0-dtb2.bin which I then flashed:

3a8082e126