Post Reply

[ROOT] HubCap Chromecast Root Release!

OP Team-Eureka

23rd August 2014, 02:44 AM   |  #1  
Team-Eureka's Avatar
OP Senior Member
Thanks Meter: 248
 
101 posts
Join Date:Joined: Dec 2013
Donate to Me
Dear XDA Users,

We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).

Requirements

Instructions
  1. Install the appropriate Teensy Root Package on your device.
    • If New In Box device, use 12940 otherwise use 16664.
    • Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
  2. Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
  3. Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
    • The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
  4. Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
    • If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
  5. After about 5 minutes, the Chromecast should reboot and your device should now be rooted!

Having Problems?
  • “I am using a USB hub with a OTG cable, why is it not working?”
    • This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
  • “How can I tell if the root is running?”
    • If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.

Created By

@fail0verflow
@gtvhacker
@Dev_Team_Eureka

Shoutouts

Google Inc. - Thanks for the awesome device, now add fastboot support
XDA-Developers - For being the home of Chromecast Development

Download

Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
Download: http://download.gtvhacker.com/file/c...ast/HubCap.zip


Source:
GitHub: https://github.com/axoltl/HubCap
Last edited by Team-Eureka; 29th August 2014 at 01:43 PM. Reason: Add Source
The Following 99 Users Say Thank You to Team-Eureka For This Useful Post: [ View ]
23rd August 2014, 04:14 AM   |  #2  
psouza4's Avatar
Recognized Developer
Flag Meridian, ID
Thanks Meter: 171
 
270 posts
Join Date:Joined: Feb 2009
Donate to Me
More
Brilliant -- working through the steps now!

One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list.

UPDATE: worked like a charm!
Sir, you are being rooted

The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around.

Thanks again for all your work, guys!
Last edited by psouza4; 23rd August 2014 at 04:45 AM. Reason: Update
The Following 5 Users Say Thank You to psouza4 For This Useful Post: [ View ]
23rd August 2014, 04:23 AM   |  #3  
FusionX's Avatar
Senior Member
Flag NY
Thanks Meter: 139
 
582 posts
Join Date:Joined: Nov 2008
More
Awesome, thanks! Downloading now and will update!

Edit: flawless victory! Rooted 2 CC, one new in box and the other on latest firmware. Great work! Can't wait to see the source to understand how the exploit took place.
Last edited by FusionX; 23rd August 2014 at 04:57 AM.
23rd August 2014, 04:55 AM   |  #4  
Senior Member
Thanks Meter: 323
 
869 posts
Join Date:Joined: Feb 2012
Amazing! Thanks!
23rd August 2014, 05:05 AM   |  #5  
Senior Member
Thanks Meter: 313
 
1,832 posts
Join Date:Joined: Dec 2007
Yea! I have a rooted CCast....

Just a note for Windows users who use win32mage....the flashcast image doesn't show using the browse because it's a BIN not an IMG file...
Just remove the file filter to *.* to see the proper image to burn to the USB Jump Drive.
23rd August 2014, 05:09 AM   |  #6  
Junior Member
Orlando,fl
Thanks Meter: 6
 
20 posts
Join Date:Joined: Jun 2011
More
Congrats to the team!
23rd August 2014, 05:10 AM   |  #7  
ClearD's Avatar
Recognized Developer
Flag Gallipolis
Thanks Meter: 1,249
 
3,040 posts
Join Date:Joined: Jan 2009
Donate to Me
More
Gonna get my teensy asap! CC unplugged until then. Thank you so much, team!!
23rd August 2014, 05:19 AM   |  #8  
Member
Thanks Meter: 1
 
34 posts
Join Date:Joined: Feb 2010
is this persistent and does it block OTA's?
23rd August 2014, 05:20 AM   |  #9  
psouza4's Avatar
Recognized Developer
Flag Meridian, ID
Thanks Meter: 171
 
270 posts
Join Date:Joined: Feb 2009
Donate to Me
More
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?
23rd August 2014, 05:23 AM   |  #10  
FusionX's Avatar
Senior Member
Flag NY
Thanks Meter: 139
 
582 posts
Join Date:Joined: Nov 2008
More
Quote:
Originally Posted by psouza4

Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?

Not sure but one of the ones I just rooted was 37*** that was on the latest ota.

I used the 16664 with a 2++

Sent from my 831C using Tapatalk

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Google Chromecast by ThreadRank