We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).
- Chromecast Device
- Teensy 2 or 2++
- Teensy Loader - https://www.pjrc.com/teensy/loader.html
- 1GB+ Flashdrive
- The files included in the zip
- Install the appropriate Teensy Root Package on your device.
- If New In Box device, use 12940 otherwise use 16664.
- Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
- Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
- Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
- The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
- Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
- If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
- After about 5 minutes, the Chromecast should reboot and your device should now be rooted!
- “I am using a USB hub with a OTG cable, why is it not working?”
- This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
- “How can I tell if the root is running?”
- If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.
Google Inc. - Thanks for the awesome device, now add fastboot support
XDA-Developers - For being the home of Chromecast Development
Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q