# Fully Extracted TiVo Stream 4k Rom:



## Eliminater74

I have Fully Extracted The ROM from this Device. Not something that is easy to do, I am a retired Android Developer Author of Nebula Kernel and PureFusionOS, Some might have heard of me and most prob havent. But This is a good device for the money. I know it has some issues. But with the extracted rom, you can do many things. Even Root it. This ZIP is not rooted. its fully stock as Developer has intended. Not a single mod has been added. I have created my own extracting tools for linux, even the LOGO is extracted but not included as extracted, I only included the image files only. RAW Image. I have the ability to create a USB Burn Image. But have not done so yet.
I want to do some testing first. Before anyone asks me, I have a Latest Amazon FireCube 4k and FireStick 4k and a JetStream 4k ATV Box, Also a qbeel y8 Max Android TV Box, and I have had other boxes as well, I have the Tivo Stream 4k with I got recently and I must tell you, The Tivo has best picture and speed from all my devices.

Extracted logo.img: (Not included)


Code:


dbg:res-img ver is 0x2
dbg:item LOGO/logo/upgrade_logo
dbg:item LOGO/logo/recovery_boot
dbg:item LOGO/logo/burn
dbg:item LOGO/logo/upgrade_error
dbg:item LOGO/logo/upgrade_bar
dbg:item LOGO/logo/fastboot
dbg:item LOGO/logo/upgrade_success
dbg:item LOGO/logo/bootup
dbg:item LOGO/logo/upgrade_upgrading
dbg:item LOGO/logo/upgrade_fail
dbg:item LOGO/logo/upgrade_unfocus

I have included the following in the archive:


Code:


ogo.img
recovery.img
boot.img
product.img
odm.img
vbmeta.img
dtbo.img
DDR.USB
_aml_dtb.img.img
vendor.img
system.img

system.img, vendor.img, odm.img, product.img, Can all be extracted as well
DDR.USB = bootloader

as you can see here:


Code:


file="_aml_dtb.PARTITION"        main_type="PARTITION"        sub_type="_aml_dtb"
file="boot.PARTITION"        main_type="PARTITION"        sub_type="boot"
file="DDR_ENC.USB"        main_type="PARTITION"        sub_type="bootloader"
file="dtbo.PARTITION"        main_type="PARTITION"        sub_type="dtbo"
file="logo.PARTITION"        main_type="PARTITION"        sub_type="logo"
file="odm.PARTITION"        main_type="PARTITION"        sub_type="odm"
file="product.PARTITION"        main_type="PARTITION"        sub_type="product"
file="recovery.PARTITION"        main_type="PARTITION"        sub_type="recovery"
file="system.PARTITION"        main_type="PARTITION"        sub_type="system"
file="vbmeta.PARTITION"        main_type="PARTITION"        sub_type="vbmeta"
file="vendor.PARTITION"        main_type="PARTITION"        sub_type="vendor"

Yes I know DDR.USB should be named DDR_ENC.USB (my mistake)
doesnt matter, the partition name is bootloader either way.

if I get the time and my test are positive on a few things im trying, then I might just
create a USB Burn Image that you can use the USB Burning Tool to burn the firmware.

PS: Now you can Debloat this ROM the correct way, even reroute the assigned Buttons, So much you could do. I did not mess with keys and so on. All that should be still intact.

WARNING: If you flash any of the images, you will be safe flashing boot, system, vendor, product, odm, logo, recovery.

BUT: be warned: flashing any of the other images can result in a brick.
I have not fully tested the other images being flashed back. But have tested the images I mentioned above.

I am not responsible for you creating a paper weight, Do not attempt anything if you have no clue what your doing. Leave that to the Risk takers only.
*YOU HAVE BEEN WARNED:*

Download From Here: Downloads for : -Android- Generic Device/Other | AndroidFileHost.com | Download GApps, Roms, Kernels, Themes, Firmware and more. Free file hosting for all Android developers.


----------



## Eliminater74

Note: vbmeta = dm-verity which this box its disabled, as in most android tv boxes are.
boot is listed as secured, which checks sigs at boot level process.
forceencrypt is enabled, which allows encryption to fully work.

I am not 100% sure but I think this vbmeta is a dummy since we are talking about android tv boxes not android phones/tablets..
I noticed some sections in the extracted system.img that talk about treble. I dont see that being possible on a device like this.

Ohh yeah, I did try and contact TiVo about getting a fully working USB Burning Tool Image file so I can fix a TiVo box, they acted like they had no clue what I was talking about, I kindly told them we can do this the easy way or the hard way but either way I will access this and if I had to do it the hard way, I would exploit the box, and will release to the public all my findings. I also told them if we did this the easy way and they just hand over the image, I would not have had to go this route. 

Again they acted like they had no clue what I was talking about, So, Step one is this extracted rom, Step 2 + will come next soon..

BTW: I did some comparing images and configs from my other box USB Burning Tool Images, and noticed pretty much same.. Amlogic seems to have a set standard that doesnt change.

I have been known to take basic android tv boxes that dont have ATV and nearly impossible to get ATV on them.. and well. Customize it so ATV is on them.

Yes I did retire from Android Development, But I still like to mess around with this stuff every once in a while. But its not something I will do all the time. I am also
a OpenWRT Developer for the LinkSys Routers (wrt3200acm).

My main hobby is Riding my Bike (Motorcycle)


----------



## Eliminater74

After time playing around, I realized that the vbmeta image is signed, and to be able to customize the system/boot/vendor you will have to mess with this:

anyhow here is the signed vbmeta:


Code:


python avbtool info_image --image vbmeta.img
Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     320 bytes
Auxiliary Block:          2560 bytes
Public key (sha1):        cdbb77177f731920bbe0a0f94f84d9038ae0617d
Algorithm:                SHA256_RSA2048
Rollback Index:           0
Flags:                    0
Rollback Index Location:  0
Release String:           'avbtool 1.1.0'
Descriptors:
    Hashtree descriptor:
      Version of dm-verity:  1
      Image Size:            132018176 bytes
      Tree Offset:           132018176
      Tree Size:             1044480 bytes
      Data Block Size:       4096 bytes
      Hash Block Size:       4096 bytes
      FEC num roots:         2
      FEC offset:            133062656
      FEC size:              1056768 bytes
      Hash Algorithm:        sha1
      Partition Name:        product
      Salt:                  8efff15f71049420a18064a35f327299aa23e20e8e24138f79be7fcb020e57a5
      Root Digest:           348f3a2f847791c2fb8f0febf0009c46fb7e4adb
      Flags:                 0
    Hashtree descriptor:
      Version of dm-verity:  1
      Image Size:            264114176 bytes
      Tree Offset:           264114176
      Tree Size:             2084864 bytes
      Data Block Size:       4096 bytes
      Hash Block Size:       4096 bytes
      FEC num roots:         2
      FEC offset:            266199040
      FEC size:              2105344 bytes
      Hash Algorithm:        sha1
      Partition Name:        vendor
      Salt:                  8efff15f71049420a18064a35f327299aa23e20e8e24138f79be7fcb020e57a5
      Root Digest:           ca3d1625147599c18031b9fc22a74f66c57128dc
      Flags:                 0
    Hash descriptor:
      Image Size:            16192512 bytes
      Hash Algorithm:        sha256
      Partition Name:        recovery
      Salt:                  2b27424ad24af81f76e0acb2cc616094d919979f7847aa2cf6e5427e1dc18abb
      Digest:                07f5e04c10e35b38f57100a0be0e084dfe23d1f7c03d4f66fa792380c4538ee2
      Flags:                 0
    Hash descriptor:
      Image Size:            9819136 bytes
      Hash Algorithm:        sha256
      Partition Name:        boot
      Salt:                  dcd5b0f7bc5fec601fe9df878aabc4886292ae704a4b80d9b359cd48e3eacc1b
      Digest:                c20afeb5ca0a8fcbda34a661c74d7d6c69da148457e0976b3ddb703ccfe6fccf
      Flags:                 0
    Hashtree descriptor:
      Version of dm-verity:  1
      Image Size:            1527320576 bytes
      Tree Offset:           1527320576
      Tree Size:             12034048 bytes
      Data Block Size:       4096 bytes
      Hash Block Size:       4096 bytes
      FEC num roots:         2
      FEC offset:            1539354624
      FEC size:              12173312 bytes
      Hash Algorithm:        sha1
      Partition Name:        system
      Salt:                  8efff15f71049420a18064a35f327299aa23e20e8e24138f79be7fcb020e57a5
      Root Digest:           a78f10c5758299ea8bddcf64a3c4414845aa00e1
      Flags:                 0
    Kernel Cmdline descriptor:
      Flags:                 1
      Kernel Cmdline:        'dm="1 vroot none ro 1,0 2983048 verity 1 PARTUUID=$(ANDROID_SYSTEM_PARTUUID) PARTUUID=$(ANDROID_SYSTEM_PARTUUID) 4096 4096 372881 372881 sha1 a78f10c5758299ea8bddcf64a3c4414845aa00e1 8efff15f71049420a18064a35f327299aa23e20e8e24138f79be7fcb020e57a5 10 $(ANDROID_VERITY_MODE) ignore_zero_blocks use_fec_from_device PARTUUID=$(ANDROID_SYSTEM_PARTUUID) fec_roots 2 fec_blocks 375819 fec_start 375819" root=/dev/dm-0'
    Kernel Cmdline descriptor:
      Flags:                 2
      Kernel Cmdline:        'root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)'
    Hash descriptor:
      Image Size:            438 bytes
      Hash Algorithm:        sha256
      Partition Name:        dtbo
      Salt:                  8efff15f71049420a18064a35f327299aa23e20e8e24138f79be7fcb020e57a5
      Digest:                d8e18393d231a5e3ddf0ff0a694680e9831502d61a886cfe07506bbe41e0bc31
      Flags:                 0
    Hash descriptor:
      Image Size:            80384 bytes
      Hash Algorithm:        sha256
      Partition Name:        dtb
      Salt:                  181c0405759cf02e74649498a868636fcb2f2933c0acaf1152e039272b795755
      Digest:                29ff4dfbde1268408823bf2a222700dd2a07a19b37eb630a307ebffb04bb71c7
      Flags:                 0

The Extracted public key from vbmeta is:


Code:


-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxlVR3TIkouAOvH79vaJT
gFhpfvVKQIeVkFRZPVXK/zY0Gvrh4JAqGjJoW/PfrQv5sdD36qtHH3a+G5hLZ6Ni
+t/mtfjucxZfuLGC3kmJ1T3XqEKZgXXI2IR7vVSoImREvDQGEDyJwtHzLANlkbGg
0cghVhWZSCAndO8BenalC2v94/rtDfkPekH6dgU3Sf40T0sBSeSY94mOzTaqOR2p
fV1rWlLRdWmo33zeHBv52Rlbt0dMuXAureXWiHztkm5GCBC1dgM+CaxNtizNEgC9
1KcD0xuRCCM2WxH+r1lpszyIJDctYbrFmVEYl/kjQpafhy7Nsk1fqSTyRdriZSYm
TQIDAQAB
-----END PUBLIC KEY-----


----------



## vancedailey

I bought 6 TiVo Stream 4ks shortly after it came out. The picture quality was great. I liked the remote. Being able to upgrade the memory was a plus. And as a long term TiVo user I thought there was a chance they would provide a way to play shows recorded on a TiVo DVR. I also thought the introductory price was going to undercut the price for google's rumored Sabrina.
But then they introduced the Youtube TV bug and proceeded to let it fester for several months with no commitment to fixing it. So I bought 6 Chromecast with Google TVs and peace reigns in my home. I still like the remote and extra memory so every month or two I check back here and see if anything has changed.
It seems that your generous work could extend the life of the product even if TiVo abandons it.
I have a few questions.
1. Do you feel that the fact that the Stream 4K is built on Android 9 is likely to be an issue going forward? (I read somewhere that it may be updated to Android 10)
2. The Button Mapper app is unable to remap most of the buttons on the remote. If the issue is not with with the signals/codes sent by the remote itself can all the keys be exposed to Button Mapper?
3. I take it you are hoping others will be able to take what you have done and remove references to Sling TV and TiVo's Stream App; correct?

I appreciate your efforts. I just hope there are enough enthusiasts left around to pickup your work and move it forward.
Thanks,
Vance


----------



## Eliminater74

vancedailey said:


> I bought 6 TiVo Stream 4ks shortly after it came out. The picture quality was great. I liked the remote. Being able to upgrade the memory was a plus. And as a long term TiVo user I thought there was a chance they would provide a way to play shows recorded on a TiVo DVR. I also thought the introductory price was going to undercut the price for google's rumored Sabrina.
> But then they introduced the Youtube TV bug and proceeded to let it fester for several months with no commitment to fixing it. So I bought 6 Chromecast with Google TVs and peace reigns in my home. I still like the remote and extra memory so every month or two I check back here and see if anything has changed.
> It seems that your generous work could extend the life of the product even if TiVo abandons it.
> I have a few questions.
> 1. Do you feel that the fact that the Stream 4K is built on Android 9 is likely to be an issue going forward? (I read somewhere that it may be updated to Android 10)
> 2. The Button Mapper app is unable to remap most of the buttons on the remote. If the issue is not with with the signals/codes sent by the remote itself can all the keys be exposed to Button Mapper?
> 3. I take it you are hoping others will be able to take what you have done and remove references to Sling TV and TiVo's Stream App; correct?
> 
> I appreciate your efforts. I just hope there are enough enthusiasts left around to pickup your work and move it forward.
> Thanks,
> Vance


It may surely be possible to edit system/vendor and remove alot of the crap. and remap the buttons as well.. but to be able to flash it, you will have
to resign the system. OEM unlock doesnt work on latest. The Tivo pretty much updates when you run it for first time with no way to bypass it.
what I would try is, Using the USB Burning Image that is possibly able to be unlocked, then make the changes and then some or something..
I havent looked much more into it lately.. have alot going on at home level..... but if anyone else wants to look into it, have at it.

When I get the time, I will check things out again.


----------



## vancedailey

Its beyond my skill set to contribute but since TiVo at best seems to have this on life support I hope a few a people come forward to keep it alive.
Every streaming box available has an UI that is compromised by advertising. This could be different.


----------



## Eliminater74

vancedailey said:


> Its beyond my skill set to contribute but since TiVo at best seems to have this on life support I hope a few a people come forward to keep it alive.
> Every streaming box available has an UI that is compromised by advertising. This could be different.


I would love the challenge, I just dont know if I have the time. this little TiVo Stream 4k Box/Dongle is small/compact it doesnt have much space, USB flash drives only a few would even seem to work, But in all, if you only use this device for watching TV/Movies, and maybe a few other things, its a good device. Picture Quality is great. Not bad for $30+..

I have worked on many Android TV Boxes in the past. Converted many TV Boxes to ATV, which many said couldnt be possible. I will look more into this when I get the time.
As of now, I just got way to much to handle to be working on this. I do tend to jump around as well. I put the IDEA out there. I also got much started.

The development of the BOX it self might be dead. But the development from Private users doesnt have to be dead..


----------



## staknhalo

Dunno if this will help at all, but unlike other Android TV STB devices such as SHIELD or Nexus Player or Mi Box S - Tivo Stream 4k is Android TV Operator Tier device IIRC (so more like a cable company's custom Android TV box instead of the others) - there might be resources/guides out there for the 'Operator Tier' specifically that might help you.


----------



## dbpaddler

I think saying the TS4k is based off of their operator tier access is a stretch. What has you believing the TS4k is based on that? Their Stream app is just that, an app. And I'd imagine their tweaks are no different than what nvidia or xiaomi do on their boxes. Well, maybe just not as well. 

Sent from my SM-N986U1 using Tapatalk


----------



## staknhalo

dbpaddler said:


> I think saying the TS4k is based off of their operator tier access is a stretch. What has you believing the TS4k is based on that? Their Stream app is just that, an app. And I'd imagine their tweaks are no different than what nvidia or xiaomi do on their boxes. Well, maybe just not as well.
> 
> Sent from my SM-N986U1 using Tapatalk


1) All Tivo's Android TV devices (retail Stream 4K isn't the only one - they supply Tivo Android TV products/solutions to cable co's too) appear to be operator tier

2) Operator tier devices were not upgraded to the Google TV-esque Android TV homescreen update - they were purposely excluded from the rollout - they still maintain the red 'all apps' circle to the left of the main app row on the homescreen - this is only on found operator tier devices now (SHIELD was longest non-operator tier holdout) - operator tier devices still have the homescreen backdrop images though (this was from a separate former Android TV homescreen update)


----------



## hoogar

Hi. Can you write the installation steps step by step?

The day I bought the Tivo it turned off by itself and never came back on. I want to try everything. I pray for you if it works )

SM-N9500 cihazımdan Tapatalk kullanılarak gönderildi


----------



## TacoBellRace

Just wanted to say thanks, and that I'm following!


----------



## Resinous

Can anyone explain how to STAY on a debug build? I tried USB Burn tool and downgraded to the debug build with root on XDA forums, build is like 2155. But after flashing if I don't factory wipe data in recovery i get a boot loop. When i wipe data I'm in the debug build with the OEM Unlock option, BUT, as soon as the device boots it forces me to update back to non-debug 5614 build and reactivate the device on Tivo website. How the hell do i stay on debug build long enough to unlock Oem Unlock toggle..I'm going crazy


----------



## burntoc

Eliminater74 said:


> I have Fully Extracted The ROM from this Device. Not something that is easy to do, I am a retired Android Developer Author of Nebula Kernel and PureFusionOS, Some might have heard of me and most prob havent. But This is a good device for the money. I know it has some issues. But with the extracted rom, you can do many things. Even Root it. This ZIP is not rooted. its fully stock as Developer has intended. Not a single mod has been added. I have created my own extracting tools for linux, even the LOGO is extracted but not included as extracted, I only included the image files only. RAW Image. I have the ability to create a USB Burn Image. But have not done so yet.
> I want to do some testing first. Before anyone asks me, I have a Latest Amazon FireCube 4k and FireStick 4k and a JetStream 4k ATV Box, Also a qbeel y8 Max Android TV Box, and I have had other boxes as well, I have the Tivo Stream 4k with I got recently and I must tell you, The Tivo has best picture and speed from all my devices.
> 
> Extracted logo.img: (Not included)
> 
> 
> Code:
> 
> 
> dbg:res-img ver is 0x2
> dbg:item LOGO/logo/upgrade_logo
> dbg:item LOGO/logo/recovery_boot
> dbg:item LOGO/logo/burn
> dbg:item LOGO/logo/upgrade_error
> dbg:item LOGO/logo/upgrade_bar
> dbg:item LOGO/logo/fastboot
> dbg:item LOGO/logo/upgrade_success
> dbg:item LOGO/logo/bootup
> dbg:item LOGO/logo/upgrade_upgrading
> dbg:item LOGO/logo/upgrade_fail
> dbg:item LOGO/logo/upgrade_unfocus
> 
> I have included the following in the archive:
> 
> 
> Code:
> 
> 
> ogo.img
> recovery.img
> boot.img
> product.img
> odm.img
> vbmeta.img
> dtbo.img
> DDR.USB
> _aml_dtb.img.img
> vendor.img
> system.img
> 
> system.img, vendor.img, odm.img, product.img, Can all be extracted as well
> DDR.USB = bootloader
> 
> as you can see here:
> 
> 
> Code:
> 
> 
> file="_aml_dtb.PARTITION"        main_type="PARTITION"        sub_type="_aml_dtb"
> file="boot.PARTITION"        main_type="PARTITION"        sub_type="boot"
> file="DDR_ENC.USB"        main_type="PARTITION"        sub_type="bootloader"
> file="dtbo.PARTITION"        main_type="PARTITION"        sub_type="dtbo"
> file="logo.PARTITION"        main_type="PARTITION"        sub_type="logo"
> file="odm.PARTITION"        main_type="PARTITION"        sub_type="odm"
> file="product.PARTITION"        main_type="PARTITION"        sub_type="product"
> file="recovery.PARTITION"        main_type="PARTITION"        sub_type="recovery"
> file="system.PARTITION"        main_type="PARTITION"        sub_type="system"
> file="vbmeta.PARTITION"        main_type="PARTITION"        sub_type="vbmeta"
> file="vendor.PARTITION"        main_type="PARTITION"        sub_type="vendor"
> 
> Yes I know DDR.USB should be named DDR_ENC.USB (my mistake)
> doesnt matter, the partition name is bootloader either way.
> 
> if I get the time and my test are positive on a few things im trying, then I might just
> create a USB Burn Image that you can use the USB Burning Tool to burn the firmware.
> 
> PS: Now you can Debloat this ROM the correct way, even reroute the assigned Buttons, So much you could do. I did not mess with keys and so on. All that should be still intact.
> 
> WARNING: If you flash any of the images, you will be safe flashing boot, system, vendor, product, odm, logo, recovery.
> 
> BUT: be warned: flashing any of the other images can result in a brick.
> I have not fully tested the other images being flashed back. But have tested the images I mentioned above.
> 
> I am not responsible for you creating a paper weight, Do not attempt anything if you have no clue what your doing. Leave that to the Risk takers only.
> *YOU HAVE BEEN WARNED:*
> 
> Download From Here: Downloads for : -Android- Generic Device/Other | AndroidFileHost.com | Download GApps, Roms, Kernels, Themes, Firmware and more. Free file hosting for all Android developers.


Looks like there is an ota zip floating around from the new version with the OS update. Not meeting an img file, the Amlogic tool doesn't work for it. Since you seem to know your stuff, and chance you could put some quick steps on how to flash it from recovery or fastboot maybe?


----------



## a11d3lete

Do you actually see the OEM unlock option? Debug version has usb debugging turned on automatically, so you can install apps and launch them using adb. I did that but to get into my settings, but my developer options just say "developer options not available to this user"


----------



## swiftly

Once the initial setup wizard is completed to the end, the developer options menu becomes active instead of saying "developer options not available for this user".

The only type of user for which the "developer options not available for this user" message is shown is the user who has not completed the initial setup wizard.



a11d3lete said:


> Do you actually see the OEM unlock option?


There isn't any such option in any version of the ts4k firmware thus far, or in any version of any similar SEI device — unless it is running the google tv os instead of just the android tv os.

The SEI bootloader doesn't exactly work that way. Lock status and unlock ability is toggled based on buildtype (user or userdebug), not on any oem toggle from the developer options menu. And the way that the bootloader test on the buildtype status is done means that any prior lock status does not retain or transfer to the other buildtype, should a different buildtype later be installed.


----------



## bobbymo

Flashing a neutered vbmeta.img aloows one to flash custom system/vendor/product images just FYI.
Any luck on getting password.bin for download mode?


----------



## bobbymo

Eliminater74 said:


> I have included the following in the archive:
> 
> 
> Code:
> 
> 
> ogo.img
> recovery.img
> boot.img
> product.img
> odm.img
> vbmeta.img
> dtbo.img
> DDR.USB
> _aml_dtb.img.img
> vendor.img
> system.img


@Eliminater74 What is the ogo.img? Do you happen to have the misc partition dumped?


----------



## fixsony

this rom android 9 or 10


----------

