PSA: The new OTA (build 12840) patches the bootloader exploit used to obtain root

Search This thread
By:
Advanced…
G

gnatman

Member
Jun 12, 2010
46
5
I decided to telnet into my chromecast and use cat to append the following line to my hosts file:

127.0.0.1 dl.google.com

So hopefully it shouldn't be able to download any updates. I tried using wget on the chromecast to manually download the updates and they were successfully blocked.

Edit: This seems to reset itself on reboot, so I guess it is only a temporary fix.
 
Last edited:
L

Louer Adun

Senior Member
Jan 19, 2010
121
9
gnatman said:
I decided to telnet into my chromecast and use cat to append the following line to my hosts file:

127.0.0.1 dl.google.com

So hopefully it shouldn't be able to download any updates. I tried using wget on the chromecast to manually download the updates and they were successfully blocked.

Edit: This seems to reset itself on reboot, so I guess it is only a temporary fix.
Click to expand...
Click to collapse

How do you know that the download URL is dl.google.com? If we are positive that is the URL that it is checking for updates, ill just block it via my router to make sure my Chromecasts stay on 12072 until I can root them permanently.
 
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
tvall said:
also, i'd assume replacing /boot/recovery.img with a custom recovery or just removing it would also prevent updates. not sure though, I also don't have a chromecast.

also, if you are feeling adventurous, try this: http://db.tt/Ja1XBNgH. if it works, you'll have the latest software, root, and no updated bootloader. if it doesn't work, you might be able to recover by using gtvhacker's image. no promises though, since I don't own a chromecast, I cant test it. Don't blame me if your chromecast quits working, explodes, kills your puppy, or hands north korea some working nukes.

@xuser your signature made me think there was an actual bug on my screen. I tried to kill it, but it ignored my attempts and kept crawling around under the glass
Click to expand...
Click to collapse

Just tested, it won't even flash. Thanks for trying tho!

EDIT: Actually I DD'd the image wrong. Just did it the right way, flashed it, and I now have root (woo!), except it still reports as build 12072 in the build.prop
 
Last edited:
tvall

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
the build.prop is part of the kernel, which isnt flashed by that image. you should do it manually. it actually has some wifi driver updates, which should be beneficial

telnet into your chromecast, and download this file http://dl.dropboxusercontent.com/u/19978192/boot.img to a writable location (/tmp?). then dd that to whichever partition is the kernel partition (cat /proc/mtd or /proc/partitions to find out)
 
  • Like
Reactions: SOHKis
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
tvall said:
the build.prop is part of the kernel, which isnt flashed by that image. you should do it manually. it actually has some wifi driver updates, which should be beneficial

telnet into your chromecast, and download this file http://dl.dropboxusercontent.com/u/19978192/boot.img to a writable location (/tmp?). then dd that to whichever partition is the kernel partition (cat /proc/mtd or /proc/partitions to find out)
Click to expand...
Click to collapse

Sounds good, il do it and let you know how it goes. Wish we had a recovery for this that didn't check for signatures so we could just modify the ota.zip file.
 
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
tvall said:
If I have time, I'll be taking a look at the recovery when I get home.

Sent from my Evo V 4G using Tapatalk 2
Click to expand...
Click to collapse

Thanks, and I am unable to DD the kernel img, says it is unable to open for write.

Mounts:
Code: 
dev:    size   erasesize  name
mtd0: 00100000 00100000 "block0"
mtd1: 00800000 00100000 "bootloader"
mtd2: 01000000 00100000 "kernel"
mtd3: 19000000 00100000 "rootfs"
mtd4: 12c00000 00100000 "cache"
mtd5: 47b00000 00100000 "userdata"
mtd6: 03000000 00100000 "recovery"
mtd7: 06000000 00100000 "backupsys"
mtd8: 00800000 00100000 "fts"
mtd9: 01000000 00100000 "factory_store"
mtd10: 00800000 00100000 "bbt"
mtd11: 80000000 00100000 "mv_nand"

Commands I tried:
Code: 
dd if=/cache/kernel.img of=/dev/mtd/mtd2
dd if=/cache/kernel.img of=/dev/block/mtdblock2

EDIT: Also, just tried flashing a unsigned zip using stock recovery, to see if it would work. No go, so it does do signature checks on OTA.zip files.
 
Last edited:
tvall

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
But the entire update zip is signed, just like any other android ota, right? I have never seen any signature verification done in an updater-script

Sent from my Evo V 4G using Tapatalk 2
 
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
Archon810 said:
FYI, here's what the updater-script does when it tries to install an update. If the first line passes, the rest doesn't do any integrity checks and just overwrites everything. There are no signature checks on individual parts of the OS here.

https://gist.github.com/archon810/6127062
Click to expand...
Click to collapse

By Signature zips, I mean the recovery.img its self checks the integrity of the zip file. I motified the OTA zip to not flash the bootloader, and when loaded in recovery made it to 20%, but then froze saying it was trying to recover.

tvall said:
But the entire update zip is signed, just like any other android ota, right? I have never seen any signature verification done in an updater-script

Sent from my Evo V 4G using Tapatalk 2
Click to expand...
Click to collapse

Exactly this
 
Last edited:
tvall

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
ddggttff3 said:
Thanks, and I am unable to DD the kernel img, says it is unable to open for write.

Mounts:
Code: 
dev:    size   erasesize  name
mtd0: 00100000 00100000 "block0"
mtd1: 00800000 00100000 "bootloader"
mtd2: 01000000 00100000 "kernel"
mtd3: 19000000 00100000 "rootfs"
mtd4: 12c00000 00100000 "cache"
mtd5: 47b00000 00100000 "userdata"
mtd6: 03000000 00100000 "recovery"
mtd7: 06000000 00100000 "backupsys"
mtd8: 00800000 00100000 "fts"
mtd9: 01000000 00100000 "factory_store"
mtd10: 00800000 00100000 "bbt"
mtd11: 80000000 00100000 "mv_nand"

Commands I tried:
Code: 
dd if=/cache/kernel.img of=/dev/mtd/mtd2
dd if=/cache/kernel.img of=/dev/block/mtdblock2

EDIT: Also, just tried flashing a unsigned zip using stock recovery, to see if it would work. No go, so it does do signature checks on OTA.zip files.
Click to expand...
Click to collapse

Some android phones have s-on and similar annoyances. Maybe Google implemented something similar

Sent from my Evo V 4G using Tapatalk 2
 
Archon810

Archon810

Senior Member
Feb 19, 2010
413
141
Oakland
ddggttff3 said:
By Signature zips, I mean the recovery.img its self checks the integrity of the zip file. I motified the OTA zip to not flash the bootloader, and when loaded in recovery made it to 20%, but then froze saying it was trying to recover.



Exactly this
Click to expand...
Click to collapse

Oh, I wasn't saying the bootloader doesn't check the signature of the zip, I was just adding these facts to the discussion. Instead of checking the integrity of each file the OTA patches, it simply overwrites everything - it's pretty much a full system image rather than an OTA that uses patching.

This also means that any official update will overwrite the system partition, bootloader, and kernel. Doesn't look like it touches recovery though.
 
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
tvall said:
Some android phones have s-on and similar annoyances. Maybe Google implemented something similar

Sent from my Evo V 4G using Tapatalk 2
Click to expand...
Click to collapse

Maybe, also got the logs dumped from the recovery install failure as they write to /cache and stay there after reboot (woot).

last_install
Code: 
/cache/ota.zip
0

last_log
Code: 
/cache/recovery # cat last_log
Starting recovery on Fri Feb 13 23:31:31 2009
can't open /dev/tty0: No such file or directory
linux_version_check - failed to open /proc/mv88de3010
linux_version_check - app expects linux kernel revision 6154, please manually check current revision
<<<<< CPU-1 OSAL Init
memory map size for cache:0x0C000000, fd_cache:4, ret:0
memory map size for non-cache:0x00800000, fd_noncache:3
MV_SHM_Init OK:
base_virtaddr_cache:0x2B0F6000, size:0x0C000000
base_virtaddr_noncache:0x37133000, size:0x00800000
recovery filesystem table
=========================
  0 /tmp ramdisk (null) (null) 0
  1 /cache yaffs2 cache (null) 0
  2 /data yaffs2 userdata (null) 0
  3 /system yaffs2 rootfs (null) 0
  4 /boot mtd kernel (null) 0
  5 /recovery mtd recovery (null) 0
  6 /bootloader mtd bootloader (null) 0

I:Boot command: boot-recovery
I:Got arguments from boot message
Command: "recovery" "--update_package=/cache/ota.zip"

ro.boot.bootloader=9086b04-dirty
ro.boot.hardware=eureka-b3
ro.boot.mode=recovery
ro.serialno=
ro.bootmode=recovery
ro.baseband=unknown
ro.carrier=unknown
ro.bootloader=9086b04-dirty
ro.hardware=eureka-b3
ro.revision=769
ro.factorytest=0
ro.secure=1
ro.allow.mock.location=1
ro.debuggable=0
persist.sys.usb.config=adb
ro.build.id=OPENMASTER
ro.build.display.id=anchovy-eng 1.1 OPENMASTER 12538 test-keys
ro.build.version.incremental=12538
ro.build.version.sdk=15
ro.build.version.codename=AOSP
ro.build.version.release=1.1
ro.build.date=Mon Jul  8 14:25:11 PDT 2013
ro.build.date.utc=1375063144
ro.build.type=eng
ro.build.user=auto
ro.build.host=googletv10.mtv.corp.google.com
ro.build.tags=test-keys
ro.product.model=anchovy
ro.product.brand=google
ro.product.name=anchovy
ro.product.device=anchovy
ro.product.board=
ro.product.cpu.abi=none
ro.product.manufacturer=unknown
ro.product.release.track=
ro.wifi.channels=
ro.board.platform=mv88de3015
ro.build.product=anchovy
ro.build.description=anchovy-eng 1.1 OPENMASTER 12538 test-keys
ro.build.fingerprint=google/anchovy/anchovy:1.1/OPENMASTER/12538:eng/test-keys
ro.build.characteristics=default
ro.eureka.client_cert=/factory/client.crt
ro.eureka.client_privkey=/factory/client.key.bin
ro.content_shell.debug_port=9222
ro.kernel.android.checkjni=1
net.bt.name=Android
net.change=net.bt.name
dalvik.vm.stack-trace-file=/data/anr/traces.txt
init.svc.ueventd=running
init.svc.PE_Single_CPU=running
init.svc.recovery=running

Finding update package...
I:Update location: /cache/ota.zip
Opening update package...
I:1 key(s) loaded from /res/keys
Verifying update package...
I:comment is 1342 bytes; signature 1324 bytes from end
E:failed to verify whole-file signature
I:verify_file returned 1
E:signature verification failed
Installation aborted.

last_logcat
Code: 
--------- beginning of /dev/log/main
02-13 23:31:31.290   608   608 I PE_Single_CPU: soc iotable mapped virtual memory@:2b9f9000 errno=2
02-13 23:31:31.540   608   608 I PE_Single_CPU:  cpuPll         frequency 800
02-13 23:31:31.540   608   608 I PE_Single_CPU:  memPll         frequency 1300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  sysPll         frequency 600
02-13 23:31:31.540   608   608 I PE_Single_CPU:  dClk           frequency 325
02-13 23:31:31.540   608   608 I PE_Single_CPU:  cpuClk         frequency 800
02-13 23:31:31.540   608   608 I PE_Single_CPU:  sysClk         frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  drmClk         frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  cfgClk         frequency 75
02-13 23:31:31.540   608   608 I PE_Single_CPU:  gfxClk         frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  zspClk         frequency 50
02-13 23:31:31.540   608   608 I PE_Single_CPU:  perifClk       frequency 150
02-13 23:31:31.540   608   608 I PE_Single_CPU:  pCubeClk       frequency 600
02-13 23:31:31.540   608   608 I PE_Single_CPU:  vScopeClk      frequency 600
02-13 23:31:31.540   608   608 I PE_Single_CPU:  nfcEccClk      frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  vppSysClk      frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  appClk         frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  gfx3DCoreClk   frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  gfx3DSysClk    frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  arcRefClk      frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  vipClk         frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  sdioXinClk     frequency 50
02-13 23:31:31.540   608   608 I PE_Single_CPU:  sdio1XinClk    frequency 50
02-13 23:31:31.540   608   608 I PE_Single_CPU:  gfx3DExtraClk  frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU:  gc360Clk       frequency 300
02-13 23:31:31.540   608   608 I PE_Single_CPU: linux_version_check - failed to open /proc/mv88de3010
02-13 23:31:31.540   608   608 I PE_Single_CPU: linux_version_check - app expects linux kernel revision 6154, please manually check current revision
02-13 23:31:31.540   608   608 I PE_Single_CPU: <<<<< CPU-1 OSAL Init
02-13 23:31:31.540   608   608 I PE_Single_CPU: memory map size for cache:0x0C000000, fd_cache:7, ret:0
02-13 23:31:31.540   608   608 I PE_Single_CPU: memory map size for non-cache:0x00800000, fd_noncache:6
02-13 23:31:31.540   608   608 I PE_Single_CPU: MV_SHM_Init OK:
02-13 23:31:31.540   608   608 I PE_Single_CPU: base_virtaddr_cache:0x2E9F9000, size:0x0C000000
02-13 23:31:31.540   608   608 I PE_Single_CPU: base_virtaddr_noncache:0x3AA5A000, size:0x00800000
02-13 23:31:31.560   608   608 I PE_Single_CPU: BindInfo:
02-13 23:31:31.560   608   608 I PE_Single_CPU: 00000000 00000000 00000000 00000000 514e191b 5d2e9f7b 00000000 20000000 47ffffef 0000345e 000000ff 668207bc 729a3638 00000000 
02-13 23:31:31.560   608   608 I PE_Single_CPU: WARN  1566(ms) source/figo_dmx_api.c:58:FIGO_DMX_Create =================FIGO DMX: AVXBV allocated in shared memory ===================
02-13 23:31:31.580   608   608 I PE_Single_CPU: WARN  1584(ms) source/dmx_mgr.c:470:DMXMgr_Task DMXMgr_task runing
02-13 23:31:31.600   608   608 I PE_Single_CPU: WARN  1592(ms) source/figo_fw_dep.c:344:FIGO_FW_Initialize pbEncImg:3ac8a000
02-13 23:31:31.600   608   608 I PE_Single_CPU: FIGO Image Encryption Root Key ID = [0x4], Signature Key ID = [0x2], Signature Type = [0x2],Signature length=[0x80]
02-13 23:31:31.620   608   608 I PE_Single_CPU: Enter Antirollback check! MV_DRMLIB_LoadSecureTCMBerlin:1915
02-13 23:31:31.620   608   608 I PE_Single_CPU: Antirollback Check uAntiRollBackFlag = 2
02-13 23:31:31.620   608   608 I PE_Single_CPU: Antirollback Check success uAntiRollBackFlag == 2!
02-13 23:31:31.620   608   608 I PE_Single_CPU: Exit Antirollback check!
02-13 23:31:31.620   608   608 I PE_Single_CPU: WARN  1616(ms) source/figo_fw_dep.c:389:FIGO_FW_Initialize drm special task addr:4d0
02-13 23:31:31.620   608   608 I PE_Single_CPU: WARN  1616(ms) source/figo_fw_dep.c:410:FIGO_FW_Initialize Figo thread is running
02-13 23:31:31.620   608   608 I PE_Single_CPU: WARN  1616(ms) source/tsp_fw_base.c:2186:tsp_fw_init Figo init, fw revision in SVN:48844
02-13 23:31:31.630   608   608 I PE_Single_CPU: WARN  1643(ms) source/tsp_fw_cnn.c:416:DSStrmOutExOpen OutMemPoolAddr:0x5400 size:512
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_ResetCtrl      ] Crypto Engine uResetVal equals to current value [1]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] NthCryptoEngineFifoCmdReg [0xf310]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] Set Crypto Engine CH[0] uReturnAddress[0x278]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] NthCryptoEngineFifoCmdReg [0xf318]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] Set Crypto Engine CH[1] uReturnAddress[0x288]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] NthCryptoEngineFifoCmdReg [0xf320]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] Set Crypto Engine CH[2] uReturnAddress[0x298]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_ResetCtrl      ] Set Crypto Engine to uResetVal[0]
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_SefEngineInit         ] Section Filter Engine Init 
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_SefEngineInit         ] Init Done 
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_SefEngineReset        ] Write 1 to RESET bit 
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_SefEngineReset        ] Disable all rules 
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_SefEngineReset        ] Clear SECTION RULE SRAM 
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_SefEngineReset        ] Write 0 to RESET bit 
02-13 23:31:31.640   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_DMXDRV_SwdEngineReset        ] Set SWD to uResetVal[1]
02-13 23:31:31.640   608   608 I PE_Single_CPU: WARN  1653(ms) source/tsp_demux_source.c:167:TSP_DMX_SRC_RegisterType Not register DTV Souece in TSP.
02-13 23:31:31.650   608   608 I PE_Single_CPU: VPP ISR task is runing
02-13 23:31:32.040   608   608 I PE_Single_CPU: [1704]: line 2884,:.................HPD detected............
02-13 23:31:32.040   608   608 I PE_Single_CPU:  ------------- block 0 -----------
02-13 23:31:32.040   608   608 I PE_Single_CPU: 00 ff ff ff ff ff ff 00 4c 2d 10 02 00 00 00 00 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 31 0f 01 03 80 10 09 8c 0a e2 bd a1 5b 4a 98 24 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 15 47 4a 20 00 00 01 01 01 01 01 01 01 01 01 01 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 01 01 01 01 01 01 01 1d 00 72 51 d0 1e 20 6e 28 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 55 00 a0 5a 00 00 00 1e 01 1d 80 18 71 1c 16 20 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 58 2c 25 00 a0 5a 00 00 00 9e 00 00 00 fd 00 3b ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 3d 1e 2e 08 00 0a 20 20 20 20 20 20 00 00 00 fc ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 00 53 41 4d 53 55 4e 47 0a 20 20 20 20 20 01 8d 
02-13 23:31:32.040   608   608 I PE_Single_CPU:  ------------- block 1 -----------
02-13 23:31:32.040   608   608 I PE_Single_CPU: 02 03 16 71 43 84 05 03 23 09 07 07 83 01 00 00 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 65 03 0c 00 10 00 8c 0a d0 8a 20 e0 2d 10 10 3e ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 96 00 a0 5a 00 00 00 18 00 00 00 00 00 00 00 00 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,
02-13 23:31:32.040   608   608 I PE_Single_CPU: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 
02-13 23:31:32.040   608   608 I PE_Single_CPU:  **********clear dhub semopore 
02-13 23:31:32.040   608   608 I PE_Single_CPU: MV_VPPOBJ_SetCPCBOutputResolution: handle [0], cpcb [0], resID [8], bit_depth [2] 
02-13 23:31:32.080   608   608 I PE_Single_CPU: [2084]: line 3085,:.................EDID read and parsed............
02-13 23:31:32.080   608   608 I PE_Single_CPU: [2084]: line 3119,:..................Set authRequired to False if detected HPD...........
02-13 23:31:32.100   608   608 I PE_Single_CPU: MV_VPPOBJ_SetHdmiVideoFmt: color_fmt [0], bit_depth [2], pixel_rept [1] 
02-13 23:31:32.150   608   608 I PE_Single_CPU: MV_VPPOBJ_OpenDispWindow: plane [0], x[0], y[0], width[720], height[480] 
02-13 23:31:32.150   608   608 I PE_Single_CPU: MV_VPPOBJ_SetRefWindow: plane [0], x[0], y[0], width[720], height[480] 
02-13 23:31:32.150   608   608 I PE_Single_CPU: ************************************************************
02-13 23:31:32.150   608   608 I PE_Single_CPU: *  VMeta 2.5.3 (BG2-CD-1) SA/SP/2K/h264/vp8  build: 19143:20006M 20130605.1108
02-13 23:31:32.150   608   608 I PE_Single_CPU: ************************************************************
02-13 23:31:32.150   608   608 I PE_Single_CPU: ************************************************************
02-13 23:31:32.150   608   608 I PE_Single_CPU: *ZSP VDEC    ZSP Video decoder library
02-13 23:31:32.150   608   608 I PE_Single_CPU: ************************************************************
02-13 23:31:32.150   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_ResetCtrl      ] Set Crypto Engine to uResetVal[1]
02-13 23:31:32.150   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] NthCryptoEngineFifoCmdReg [0xf328]
02-13 23:31:32.150   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] Set Crypto Engine CH[0] uReturnAddress[0x278]
02-13 23:31:32.160   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] NthCryptoEngineFifoCmdReg [0xf330]
02-13 23:31:32.160   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] Set Crypto Engine CH[1] uReturnAddress[0x288]
02-13 23:31:32.160   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] NthCryptoEngineFifoCmdReg [0xf338]
02-13 23:31:32.160   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_SetReturnAddress] Set Crypto Engine CH[2] uReturnAddress[0x298]
02-13 23:31:32.160   608   608 I PE_Single_CPU: [DRMFIGO-LOG] - [MV_TSPDRV_CRYPTO_ResetCtrl      ] Set Crypto Engine to uResetVal[0]
02-13 23:31:32.190   608   608 I PE_Single_CPU: Audio Main DAC Reset fail
02-13 23:31:32.190   608   608 I PE_Single_CPU: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
02-13 23:31:32.190   608   608 I PE_Single_CPU: !!!!!!!!!!Hardware APP enabled!!!!!!!!!!
02-13 23:31:32.190   608   608 I PE_Single_CPU: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
02-13 23:31:32.190   608   608 I PE_Single_CPU: Disp_GraphicsRegisterDsr returns S_OK
02-13 23:31:32.210   608   608 I PE_Single_CPU:         ==================================================
02-13 23:31:32.210   608   608 I PE_Single_CPU:         Aout output PCM buffer size: 110592 fullness: 0
02-13 23:31:32.210   608   608 I PE_Single_CPU: ********************MV_DRMLIB_R2R_SPHAL_KeyLadder_Init 1!********************
02-13 23:31:32.220   608   608 I PE_Single_CPU: release cell (addr: 0x04d0, size: 0x0028)
02-13 23:31:32.220   608   608 I PE_Single_CPU: af config bk, ret: 0
02-13 23:31:32.220   608   608 I PE_Single_CPU: af config bk again , ret: 0
02-13 23:31:32.220   608   608 I PE_Single_CPU: af get DTVM ptr: 0x2d6b9000, figo handle: 0x2b961bc0
02-13 23:31:32.220   608   608 I PE_Single_CPU: FIGO Image Encryption Root Key ID = [0x4], Signature Key ID = [0x2], Signature Type = [0x2],Signature length=[0x80]
02-13 23:31:32.240   608   608 I PE_Single_CPU: Enter Antirollback check! MV_DRMLIB_LoadSecureTCMBerlin:1915
02-13 23:31:32.240   608   608 I PE_Single_CPU: Antirollback Check uAntiRollBackFlag = 0
02-13 23:31:32.240   608   608 I PE_Single_CPU: Antirollback Check failed uAntiRollBackFlag == 0!
02-13 23:31:32.240   608   608 I PE_Single_CPU: Exit Antirollback check!
02-13 23:31:32.240   608   608 I PE_Single_CPU: load image, ret: 0
02-13 23:31:32.240   608   608 I PE_Single_CPU: enable BIU, ret: 0
02-13 23:31:32.240   608   608 I PE_Single_CPU: config ds, ret: 0
02-13 23:31:32.240   608   608 I PE_Single_CPU: send start, ret: 0
02-13 23:31:32.240   608   608 I PE_Single_CPU: pack 111
02-13 23:31:32.240   608   608 I PE_Single_CPU: pack 222
02-13 23:31:32.240   608   608 I PE_Single_CPU: pack 333
02-13 23:31:32.240   608   608 I PE_Single_CPU: pack 444
02-13 23:31:32.240   608   608 I PE_Single_CPU: pack 555
02-13 23:31:32.240   608   608 I PE_Single_CPU: pack 666
02-13 23:31:32.240   608   608 I PE_Single_CPU: ********************MV_DRMLIB_R2R_SPHAL_KeyLadder_Init 2!********************
02-13 23:31:32.240   608   608 I PE_Single_CPU: sendcmd 111
02-13 23:31:32.240   608   608 I PE_Single_CPU: sendcmd 222
02-13 23:31:32.240   608   608 I PE_Single_CPU: sendcmd 333
02-13 23:31:32.240   608   608 I PE_Single_CPU: sendcmd 555
02-13 23:31:32.240   608   608 I PE_Single_CPU: sendcmd 666
02-13 23:31:32.240   608   608 I PE_Single_CPU: Share memory address log: pOpenCryptoCMD->ie_c2Ctx = 0x3aa5b850, DST ADDRESS = 0x1850
02-13 23:31:32.240   608   608 I PE_Single_CPU: WARN  2248(ms) source/figo_dmx_api.c:58:FIGO_DMX_Create =================FIGO DMX: AVXBV allocated in shared memory ===================
02-13 23:31:32.250   608   608 I PE_Single_CPU: WARN  2264(ms) source/figo_fw_dep.c:344:FIGO_FW_Initialize pbEncImg:3aed0700
02-13 23:31:32.250   608   608 I PE_Single_CPU: FIGO Image Encryption Root Key ID = [0x4], Signature Key ID = [0x2], Signature Type = [0x2],Signature length=[0x80]
02-13 23:31:32.270   608   608 I PE_Single_CPU: Enter Antirollback check! MV_DRMLIB_LoadSecureTCMBerlin:1915
02-13 23:31:32.270   608   608 I PE_Single_CPU: Antirollback Check uAntiRollBackFlag = 2
02-13 23:31:32.270   608   608 I PE_Single_CPU: Antirollback Check success uAntiRollBackFlag == 2!
02-13 23:31:32.270   608   608 I PE_Single_CPU: Exit Antirollback check!
02-13 23:31:32.270   608   608 I PE_Single_CPU: WARN  2276(ms) source/figo_fw_dep.c:389:FIGO_FW_Initialize drm special task addr:4d0
02-13 23:31:32.270   608   608 I PE_Single_CPU: WARN  2276(ms) source/figo_fw_dep.c:410:FIGO_FW_Initialize Figo thread is running
02-13 23:31:32.270   608   608 I PE_Single_CPU: ********************MV_DRMLIB_R2R_SPHAL_KeyLadder_Init 3!********************
02-13 23:31:36.390   608   608 I PE_Single_CPU: MV_VPPOBJ_SetCPCBOutputResolution: handle [0], cpcb [0], resID [14], bit_depth [2] 
02-13 23:31:36.460   608   608 I PE_Single_CPU: MV_VPPOBJ_SetHdmiVideoFmt: color_fmt [0], bit_depth [2], pixel_rept [1] 
02-13 23:31:36.570   608   608 I PE_Single_CPU: [GFX 0x2 Add] list: 0x3e5410f4=(nil) [n=1]
02-13 23:31:36.790   609   609 I ARMAssembler: generated scanline__00000077:03545404_00000000_00000000 [ 29 ipp] (43 ins) at [0x3b4801e8:0x3b480294] in 152693 ns
02-13 23:31:36.840   609   609 I ARMAssembler: generated scanline__00000077:03545404_00000A02_00000000 [ 30 ipp] (52 ins) at [0x3b480298:0x3b480368] in 101467 ns

log
Code: 
Starting recovery on Fri Feb 13 23:31:31 2009
can't open /dev/tty0: No such file or directory
linux_version_check - failed to open /proc/mv88de3010
linux_version_check - app expects linux kernel revision 6154, please manually check current revision
<<<<< CPU-1 OSAL Init
memory map size for cache:0x0C000000, fd_cache:4, ret:0
memory map size for non-cache:0x00800000, fd_noncache:3
MV_SHM_Init OK:
base_virtaddr_cache:0x2B0F6000, size:0x0C000000
base_virtaddr_noncache:0x37133000, size:0x00800000
recovery filesystem table
=========================
  0 /tmp ramdisk (null) (null) 0
  1 /cache yaffs2 cache (null) 0
  2 /data yaffs2 userdata (null) 0
  3 /system yaffs2 rootfs (null) 0
  4 /boot mtd kernel (null) 0
  5 /recovery mtd recovery (null) 0
  6 /bootloader mtd bootloader (null) 0

I:Boot command: boot-recovery
I:Got arguments from boot message
Command: "recovery" "--update_package=/cache/ota.zip"

ro.boot.bootloader=9086b04-dirty
ro.boot.hardware=eureka-b3
ro.boot.mode=recovery
ro.serialno=
ro.bootmode=recovery
ro.baseband=unknown
ro.carrier=unknown
ro.bootloader=9086b04-dirty
ro.hardware=eureka-b3
ro.revision=769
ro.factorytest=0
ro.secure=1
ro.allow.mock.location=1
ro.debuggable=0
persist.sys.usb.config=adb
ro.build.id=OPENMASTER
ro.build.display.id=anchovy-eng 1.1 OPENMASTER 12538 test-keys
ro.build.version.incremental=12538
ro.build.version.sdk=15
ro.build.version.codename=AOSP
ro.build.version.release=1.1
ro.build.date=Mon Jul  8 14:25:11 PDT 2013
ro.build.date.utc=1375063144
ro.build.type=eng
ro.build.user=auto
ro.build.host=googletv10.mtv.corp.google.com
ro.build.tags=test-keys
ro.product.model=anchovy
ro.product.brand=google
ro.product.name=anchovy
ro.product.device=anchovy
ro.product.board=
ro.product.cpu.abi=none
ro.product.manufacturer=unknown
ro.product.release.track=
ro.wifi.channels=
ro.board.platform=mv88de3015
ro.build.product=anchovy
ro.build.description=anchovy-eng 1.1 OPENMASTER 12538 test-keys
ro.build.fingerprint=google/anchovy/anchovy:1.1/OPENMASTER/12538:eng/test-keys
ro.build.characteristics=default
ro.eureka.client_cert=/factory/client.crt
ro.eureka.client_privkey=/factory/client.key.bin
ro.content_shell.debug_port=9222
ro.kernel.android.checkjni=1
net.bt.name=Android
net.change=net.bt.name
dalvik.vm.stack-trace-file=/data/anr/traces.txt
init.svc.ueventd=running
init.svc.PE_Single_CPU=running
init.svc.recovery=running

Finding update package...
I:Update location: /cache/ota.zip
Opening update package...
I:1 key(s) loaded from /res/keys
Verifying update package...
I:comment is 1342 bytes; signature 1324 bytes from end
E:failed to verify whole-file signature
I:verify_file returned 1
E:signature verification failed
Installation aborted.
 
Last edited:
G

gnatman

Member
Jun 12, 2010
46
5
Louer Adun said:
How do you know that the download URL is dl.google.com? If we are positive that is the URL that it is checking for updates, ill just block it via my router to make sure my Chromecasts stay on 12072 until I can root them permanently.
Click to expand...
Click to collapse

Well, that's where the file is hosted for manual updates of the OTA, so I just assumed that's where it was checking. I am not 100% positive this will work though.
 
tvall

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
Does recovery have adb or anything over USB? A custom recovery wouldn't be too difficult, and is possibly the only part allowed to flash a kernel, but idk how we would control it (no network, so not telnet. No buttons, so not like android)

Edit: I think I have an idea for a quick hack. Custom recovery could flash a kernel stored in /cache, then load the normal recovery.

But now we are getting really complicated. Flash update over USB, reboot into recovery to flash kernel. Then you're done, until the next update.
I'll get to work on this when I get home.

Sent from my Evo V 4G using Tapatalk 2
 
Last edited:
  • Like
Reactions: SOHKis
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
tvall said:
Does recovery have adb or anything over USB? A custom recovery wouldn't be too difficult, and is possibly the only part allowed to flash a kernel, but idk how we would control it (no network, so not telnet. No buttons, so not like android)

Sent from my Evo V 4G using Tapatalk 2
Click to expand...
Click to collapse

The log says ADB is started over USB, il see if I can get it into recovery again, and il see if it gives ADB access.

EDIT: Also, just a note. Seems your flashable img does not keep root after a restart. Anyway to fix that? I don't like flashing everytime I reboot :p
 
Last edited:
tvall

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
ddggttff3 said:
The log says ADB is started over USB, il see if I can get it into recovery again, and il see if it gives ADB access.

EDIT: Also, just a note. Seems your flashable img does not keep root after a restart. Anyway to fix that? I don't like flashing everytime I reboot :p
Click to expand...
Click to collapse

It doesn't? Odd.. I honestly have no idea what would cause that. Filesystem is read only, so it can't wipe out changes without reflashing the whole thing. And your bootloader is still insecure, so its not updating.
If I had a chromecast, I'd be able to take a closer look.

Sent from my Evo V 4G using Tapatalk 2
 
  • Like
Reactions: SOHKis
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
Hope you have one on the way :p It seems not many devs are getting on it.

Also, for ADB in recovery, its a no go. I have it in recovery hooked up to USB to my laptop, and it shows nothing. :(

EDIT, this is interesting though... when you boot recovery, when there is no given update command, the log shows this.

Nothing to do, attempting install from USB
Failed to detect partition /dev/block/sda1 on USB disk
failed to open /sys/class/android_usb/android0/state: No such file or directory
I:timed out waiting for key input; rebooting.
Click to expand...
Click to collapse
 
Last edited:
tvall

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
ddggttff3 said:
Hope you have one on the way :p It seems not many devs are getting on it.

Also, for ADB in recovery, its a no go. I have it in recovery hooked up to USB to my laptop, and it shows nothing. :(
Click to expand...
Click to collapse

I don't have a TV. Chromecast is useless without one.

Are you adventurous enough to connect to the serial port and see if recovery does anything there?

Edit: Huh, that is interesting. It most likely still checks signature, but it can't hurt to experiment, can it?

Sent from my Evo V 4G using Tapatalk 2
 
Last edited:
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
tvall said:
I don't have a TV. Chromecast is useless without one.

Are you adventurous enough to connect to the serial port and see if recovery does anything there?

Sent from my Evo V 4G using Tapatalk 2
Click to expand...
Click to collapse

Sorry, but really don't want to tear into the device. It's hard enough to get into recovery over USB anyways. I can help provide you with anything else you need though

EDIT: I am willing to try whatever you want, as long as it doesnt touch the bootloader :p

EDIT2: Interesting, the stock OS does not have /sys/class/android_usb, so looks like there is 0 USB support in the OS, but the kernel modules are there.

/sys/module # insmod usbcore
insmod: init_module 'usbcore' failed (Function not implemented)
/sys/module # insmod usbhid
insmod: init_module 'usbhid' failed (Function not implemented)
/sys/module # insmod usbcore
insmod: init_module 'usbcore' failed (Function not implemented)
/sys/module # insmod usb_storage
insmod: init_module 'usb_storage' failed (Function not implemented)
Click to expand...
Click to collapse

EDIT3: Also found the command flash_image, still no luck tho.
/cache # flash_image kernel boot.img
error writing kernel: Permission denied
Click to expand...
Click to collapse

There has to be a way to get the other partitions into RW mode.
 
Last edited:
You must log in or register to reply here.

Similar threads

Team-Eureka
  • Sticky
[ROM] [44433.001 - 2015-11-15] Eureka-ROM - Based on OTA 44433
Replies
2K
Views
557K
OctaneZ
OctaneZ
Team-Eureka
[ROOT] HubCap Chromecast Root Release!
Replies
1K
Views
514K
qin11152
qin11152
r3pwn
  • Locked
[EXPERIMENTAL] Enable Mirroring from any device
Replies
2K
Views
1M
r3pwn
r3pwn
varun.c.jain
[HOWTO] Chromecast/Netflix outside USA without VPN
Replies
555
Views
419K
D
Danny94
trainriderben
Streaming XBMC to Chromecast
Replies
282
Views
448K
P
punkmexic

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 11
    tchebb
    tchebb
    Update

    Since this thread seems to have become quite popular, I thought I'd update it to give people all the newest information in one place.

    Since I've made this post, there has been another OTA (build 12940) that improves bootloader security even further and prevents some potential root methods which were being developed for 12840. As of now, neither build 12840, build 12940, nor build 13300 has a published root method. New units have the patched bootloader preloaded from the factory and are not rootable. If you buy a unit at this point, there is a good chance that you will get one that is patched. (EDIT 2013-10-22: People are reporting that units they have purchased from Best Buy and Amazon are still running the vulnerable build. It is unclear if this is simply old stock or if there are still vulnerable units being produced.)

    As for the methods described below, they cannot be performed through a shell (i.e. telnet) since the root filesystem is formatted as squashfs, which is read-only. Instead, the root images must be manually repacked for each OTA and flashed using a USB drive with an image such as FlashCast. @ddggttff3 maintains a FlashCast mod to update Chromecasts to the latest firmware without losing root, which can be found here.

    For those of you who have managed to keep your vulnerable bootloaders, keep your eyes out. There should be some very cool releases in the near future.

    Original post

    As can be seen in this commit to Google's Chromecast source mirror, firmware version 1.1 adds a check for the result of image verification on line 755. This check will cause GTVHacker's USB image to fail to boot, and you will not be able to obtain root. Even if another root exploit is found, it seems very unlikely that it will be as clean or simple as the one which exists now, which simply uses version 0.7's unlocked bootloader to flash a new system image.

    Unfortunately, I don't have a Chromecast to test on, so I cannot recommend a method of disabling OTAs. However, from looking at the system image, there are a few possibilities I see. THE FOLLOWING METHODS ARE UNTESTED AND ARE NOT GUARANTEED TO WORK OR LEAVE YOUR CHROMECAST IN A WORKING STATE. PERFORM THEM AT YOUR OWN RISK.

    After telnetting into your rooted Chromecast or otherwise obtaining a root shell, you can try these two possible methods
    1. Rename otacerts.zip to otacerts.zip.bak in /system/etc/security/. This may remove the OTA signing keys and cause the Chromecast to reject any OTAs. However, I do not know whether this file is actually used or whether is simply a remnant from Chromecast's Android base.
    2. Replace /chrome/update_engine with an empty, executable, shell script (make sure to make a backup copy first). I am very unsure of this method, since it is simply going off the name of the update_engine binary. If update_engine happens to perform some task core to the system, doing this will leave your device in an unusable state. If this happens, simply re-rooting using GTVHacker's USB image should restore your system to how it was.

    Again, I am not responsible for any bricked Chromecasts which may result from attempting this. If you do try either method, please report whether or not it appeared to work or have any ill effects.
    View
    7
    ddggttff3
    ddggttff3
    Remember my bricked chromecast? I found a way to force it to load from USB. This involves opening the device, and jumping 2 pins at a select time, and UART but check the following boot log:

    http://pastebin.com/xHScat0T

    I don't know if this would allow circumventing the locked bootloader , but it might be a recovery option for people with bricks.

    EDIT: No longer have a bricked chromecast! :) Will post details in a bit for those who may be interested, or for future reference.

    EDIT2: Thread Here: http://xdaforums.com/showthread.php?t=2438715
    View
    6
    tvall
    tvall
    itmustbejj said:
    In the interim, is this still an effective way to keep it from updating? I unplugged mine this morning before I went to work and I'm heading home. Just trying to figure out a way to still be able to use it without it updating.
    Click to expand...
    Click to collapse

    ddggttff3 said:
    Just checked again, it still trys to download an OTA.zip file so best thing is to either not use it, or keep an eye on it :/
    Click to expand...
    Click to collapse

    i'll go ahead and upload the image thats lacking update_engine

    later i'll upload a build with a modified recovery image. fiancee is missing me. I've spent too much time on this for now.

    ---------- Post added at 08:45 PM ---------- Previous post was at 08:11 PM ----------

    https://dl.dropboxusercontent.com/u/19978192/gtvhacker-chromecast.bin.gz

    this has update_engine replaced by a dummy script. this should kill ota updates, but it might not. again, provided as-is, no warranty, your problem if it breaks, yada yada.

    I'll work on this crap more tomorrow.
    View
    4
    C
    cj_000
    smartphoneguy said:
    Thanks. That would be great. I managed to decompress the kernel but still couldn't find the RAM disk with your script. I also managed to compile the chromecast kernel from source. I may keep plugging away at figuring this out until you are able to get to it yourself.
    Click to expand...
    Click to collapse

    Well if you compiled it yourself, you are nearly there. Quick overview of what we had to do:

    /arch/arm/mach-mv88de3100/mv88de31xx_android.c , start setting partitions to RW in there, also disable any of the recovery boot options, and you may want to alter the command line in there (if not, arch/arm/kernel/setup.c)

    When you build (what I did) was set CONFIG_INITRAMFS / CONFIG_INITRAMFS_SOURCE for your ramdisk, and pull the stock kernel ramdisk, and do some mods to it. Then point the INITRAMFS_SOURCE to where you modified the kernel ramdisk.

    Hopefully that will help some, still been meaning to push our modded kernel source, but haven't had the time.
    View
    4
    tvall
    tvall
    Someone get me a copy of the new update, and ill make a rooted image.

    We need to find a bootloader exploit

    Sent from my Evo V 4G using Tapatalk 2
    View

New posts