PSA: The new OTA (build 12840) patches the bootloader exploit used to obtain root

Search This thread

granduke

Senior Member
Mar 1, 2009
327
20
Can some please help me with my context?

I'm using dd-0.5 for windows.

I enter
Code:
dd if=gtvhacker-chromecast.bin of=l bs=1024

with "l" being my flash drive.

The response is:
1280000+0 records in
1280000+0 records out

But nothing is written to the flash drive.
 

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
I would recommend using a Linux live CD, or vm. Or a Mac. Windows is a pain

Sent from my Evo V 4G using Tapatalk 2
 

granduke

Senior Member
Mar 1, 2009
327
20
I would recommend using a Linux live CD, or vm. Or a Mac. Windows is a pain

OK, got it to write with the syntax:

Code:
dd if=gtvhacker-chromecast.bin of=\\.\l: bs=1024

But the drive is now not readible by windows. Says that it has an incompatible filesystem.

Does this sound right?


Update:

Yeah. dd on windows is a pain.
I ended up using win32diskmanager and all worked good.
 
Last edited:

unodish

Member
Nov 14, 2007
29
0
I went thru this process and confirmed that I was able to Telnet to Chromecast, but after I unplug the unit and plugged it in the other room it started the updating process. This was a brand new unit out of the box that had the original firmware. I'm not sure what caused the update to still get thru.
 

smartphoneguy

Senior Member
May 12, 2008
52
6
I went thru this process and confirmed that I was able to Telnet to Chromecast, but after I unplug the unit and plugged it in the other room it started the updating process. This was a brand new unit out of the box that had the original firmware. I'm not sure what caused the update to still get thru.

Did you flash the gtvhacker image or tvall's from this thread? If the former, I don't think it blocks updates...
 
Dec 11, 2007
27
1
I am currently waiting for the powered OTG cable to ship from China. It is going to take 10 long days and nights. Aaargh! I got frustrated waiting and thought I will try chromecast and risk the update. After plugging it in, running the chromecast setup software on laptop, discovering the chromecast device, I changed my mind and killed the power. I did not go through the wireless setup step.

I suppose chromecast can not download the update until I configure the wireless on it. So, I should not be at risk of the OTA.zip already downloaded. Can someone confirm this?
 

preusstang

Senior Member
Jan 13, 2011
276
97
Just got my ChromeCast from a BestBuy 50 miles away.. then read this. Damn! I'm awaiting the delivery of my powered OTG cable but I have 2 questions:

1. Since I already have a regular OTG cable for my S3, I can dd the image to the flash drive with terminal emulator, right? I can already flash recoveries, boot loaders, etc. on my phone this way.

2. I don't have a USB hub but I have a powered one at work. Could I just plug the CC into one slot, the USB drive into another, and unplug the USB A->B that usually connects the hub to a PC?
 
Dec 11, 2007
27
1
Just got my ChromeCast from a BestBuy 50 miles away.. then read this. Damn! I'm awaiting the delivery of my powered OTG cable but I have 2 questions:

1. Since I already have a regular OTG cable for my S3, I can dd the image to the flash drive with terminal emulator, right? I can already flash recoveries, boot loaders, etc. on my phone this way.

2. I don't have a USB hub but I have a powered one at work. Could I just plug the CC into one slot, the USB drive into another, and unplug the USB A->B that usually connects the hub to a PC?

In my opinion you should be able to use the OTG + USB hub. However, unless you are feeling adventurous, wait for one of the senior dev's above to confirm :)
 

preusstang

Senior Member
Jan 13, 2011
276
97
In my opinion you should be able to use the OTG + USB hub. However, unless you are feeling adventurous, wait for one of the senior dev's above to confirm :)

I shouldn't need the OTG if using a hub. The OTG is a micro male to standard "A" female. I should be able to have the CC with micro male to standard "A" male (power cable) plugged into the hub, and the flash drive plugged into the hub (and the hub power cable plugged in). But I'm uncertain.

For windows users: Also, I couldn't find my regular OTA cable so I readied the flash drive with win32diskimager (on windows 8). It had a warning about corrupting the disk but it worked just fine. Use 7-zip to extract the .bin first. The drive was still readable by windows afterwards.
 
http://pages.ebay.com/link/?nav=item.view&id=141026737738

Got this cable and worked fine even though if I plug in my galaxy S4 it will not charge, only the USB thumb drive will light up. Also, my chromecast would simply say "chromecast starting up" when it was flashing. It took about 20secs to flash and then it reboots by itself. I thought there was something wrong with the image and the CC was just starting up, just fyi





Sent from my SPH-L720 using Tapatalk 4
 
Dec 11, 2007
27
1
http://pages.ebay.com/link/?nav=item.view&id=141026737738

Got this cable and worked fine even though if I plug in my galaxy S4 it will not charge, only the USB thumb drive will light up. Also, my chromecast would simply say "chromecast starting up" when it was flashing. It took about 20secs to flash and then it reboots by itself. I thought there was something wrong with the image and the CC was just starting up, just fyi


Sent from my SPH-L720 using Tapatalk 4

I got this one instead. http://r.ebay.com/SyKg5f (still in transit) It looks different from yours. I think this will do the job for me. Will let everyone know how it goes.
 

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
Wondering if possible to spoof the Ota server address on local ap/router/server. Deliver yourself a rooted ota update.

Even if you spoofed the entire update process successfully,
recovery will still check if the update is signed with a valid key.




Is all hope lost for me.

Sent from my SCH-I535 using Tapatalk 2

If an actual bootloader exploit is found, no. But that isn't an area I know much about.

Sent from my Evo V 4G using Tapatalk 2
 

smartphoneguy

Senior Member
May 12, 2008
52
6
tvall,
Thanks for the rooted, update blocked image. I was able to flash my newest Chromecast. A couple questions/thoughts:
1) It seems you deleted the custom gtvhacker boot logo from your updated image. This makes it more difficult to verify the flash was successful. Perhaps you could add the custom logo--or some other onscreen indicator of a successful flash--in your next release? I did verify root via telnet, but it is nice to have a visual indicator.
2) Your image does not appear to update build.prop to reflect the 12840 build number, so the Chromecast app still lists it as 12072. Intentional?
 
Last edited:

tvall

Senior Member
Oct 10, 2010
2,230
792
29
Springfield
1) correct way to state that would be I didn't ADD the gtvhacker logo. All I did was add root and remove updating from the system image from the new update.
2) that is part of the kernel, which is not flashed in my image. We should update that, but I haven't done it yet.

Sent from my Evo V 4G using Tapatalk 2
 

preusstang

Senior Member
Jan 13, 2011
276
97
I've had a hell of a time getting this to work. First I used win32diskimager, which I thought worked.. However, I just saw these colored dots like these guys mention:
http://forum.gtvhacker.com/google-chromecast-f48/topic1465.html

Then I tried cygwin. Same thing. Then I used a Knoppix distro. Same thing. Tried a 2nd flash drive. Same thing. Tried with a BackTrack distro (based on Ubuntu) The chromecast started doing something but it hung at the "starting your chromecast" for like 20 minutes.

I popped the flash drive back in my PC and it had this log file on it.

Code:
+ busybox mkdir /tmp/1
+ busybox mount -tvfat -rw /dev/block/sda1 /tmp/1
+ /sbin/flash_erase /dev/mtd/mtd3 0 0

Erasing 1024 Kibyte @ 0 --  0 % complete 
Erasing 1024 Kibyte @ 100000 --  0 % complete 
Erasing 1024 Kibyte @ 200000 --  0 % complete 
Erasing 1024 Kibyte @ 300000 --  0 % complete 
Erasing 1024 Kibyte @ 400000 --  1 % complete 
Erasing 1024 Kibyte @ 500000 --  1 % complete 
Erasing 1024 Kibyte @ 600000 --  1 % complete 
Erasing 1024 Kibyte @ 700000 --  1 % complete 
Erasing 1024 Kibyte @ 800000 --  2 % complete 
Erasing 1024 Kibyte @ 900000 --  2 % complete 
Erasing 1024 Kibyte @ a00000 --  2 % complete 
Erasing 1024 Kibyte @ b00000 --  2 % complete 
Erasing 1024 Kibyte @ c00000 --  3 % complete 
Erasing 1024 Kibyte @ d00000 --  3 % complete 
Erasing 1024 Kibyte @ e00000 --  3 % complete 
Erasing 1024 Kibyte @ f00000 --  3 % complete 
Erasing 1024 Kibyte @ 1000000 --  4 % complete 
Erasing 1024 Kibyte @ 1100000 --  4 % complete 
Erasing 1024 Kibyte @ 1200000 --  4 % complete 
Erasing 1024 Kibyte @ 1300000 --  4 % complete 
Erasing 1024 Kibyte @ 1400000 --  5 % complete 
Erasing 1024 Kibyte @ 1500000 --  5 % complete 
Erasing 1024 Kibyte @ 1600000 --  5 % complete 
Erasing 1024 Kibyte @ 1700000 --  5 % complete 
Erasing 1024 Kibyte @ 1800000 --  6 % complete 
Erasing 1024 Kibyte @ 1900000 --  6 % complete 
Erasing 1024 Kibyte @ 1a00000 --  6 % complete 
Erasing 1024 Kibyte @ 1b00000 --  6 % complete 
Erasing 1024 Kibyte @ 1c00000 --  7 % complete 
Erasing 1024 Kibyte @ 1d00000 --  7 % complete 
Erasing 1024 Kibyte @ 1e00000 --  7 % complete 
Erasing 1024 Kibyte @ 1f00000 --  7 % complete 
Erasing 1024 Kibyte @ 2000000 --  8 % complete 
Erasing 1024 Kibyte @ 2100000 --  8 % complete 
Erasing 1024 Kibyte @ 2200000 --  8 % complete 
Erasing 1024 Kibyte @ 2300000 --  8 % complete 
Erasing 1024 Kibyte @ 2400000 --  9 % complete 
Erasing 1024 Kibyte @ 2500000 --  9 % complete 
Erasing 1024 Kibyte @ 2600000 --  9 % complete 
Erasing 1024 Kibyte @ 2700000 --  9 % complete 
Erasing 1024 Kibyte @ 2800000 -- 10 % complete 
Erasing 1024 Kibyte @ 2900000 -- 10 % complete 
Erasing 1024 Kibyte @ 2a00000 -- 10 % complete 
Erasing 1024 Kibyte @ 2b00000 -- 10 % complete 
Erasing 1024 Kibyte @ 2c00000 -- 11 % complete 
Erasing 1024 Kibyte @ 2d00000 -- 11 % complete 
Erasing 1024 Kibyte @ 2e00000 -- 11 % complete 
Erasing 1024 Kibyte @ 2f00000 -- 11 % complete 
Erasing 1024 Kibyte @ 3000000 -- 12 % complete 
Erasing 1024 Kibyte @ 3100000 -- 12 % complete 
Erasing 1024 Kibyte @ 3200000 -- 12 % complete 
Erasing 1024 Kibyte @ 3300000 -- 12 % complete 
Erasing 1024 Kibyte @ 3400000 -- 13 % complete 
Erasing 1024 Kibyte @ 3500000 -- 13 % complete 
Erasing 1024 Kibyte @ 3600000 -- 13 % complete 
Erasing 1024 Kibyte @ 3700000 -- 13 % complete 
Erasing 1024 Kibyte @ 3800000 -- 14 % complete 
Erasing 1024 Kibyte @ 3900000 -- 14 % complete 
Erasing 1024 Kibyte @ 3a00000 -- 14 % complete 
Erasing 1024 Kibyte @ 3b00000 -- 14 % complete 
Erasing 1024 Kibyte @ 3c00000 -- 15 % complete 
Erasing 1024 Kibyte @ 3d00000 -- 15 % complete 
Erasing 1024 Kibyte @ 3e00000 -- 15 % complete 
Erasing 1024 Kibyte @ 3f00000 -- 15 % complete 
Erasing 1024 Kibyte @ 4000000 -- 16 % complete flash_erase: Skipping bad block at 04100000
flash_erase: Skipping bad block at 04200000

Erasing 1024 Kibyte @ 4300000 -- 16 % complete 
Erasing 1024 Kibyte @ 4400000 -- 17 % complete 
Erasing 1024 Kibyte @ 4500000 -- 17 % complete 
Erasing 1024 Kibyte @ 4600000 -- 17 % complete 
Erasing 1024 Kibyte @ 4700000 -- 17 % complete 
Erasing 1024 Kibyte @ 4800000 -- 18 % complete 
Erasing 1024 Kibyte @ 4900000 -- 18 % complete 
Erasing 1024 Kibyte @ 4a00000 -- 18 % complete 
Erasing 1024 Kibyte @ 4b00000 -- 18 % complete 
Erasing 1024 Kibyte @ 4c00000 -- 19 % complete 
Erasing 1024 Kibyte @ 4d00000 -- 19 % complete 
Erasing 1024 Kibyte @ 4e00000 -- 19 % complete 
Erasing 1024 Kibyte @ 4f00000 -- 19 % complete 
Erasing 1024 Kibyte @ 5000000 -- 20 % complete 
Erasing 1024 Kibyte @ 5100000 -- 20 % complete 
Erasing 1024 Kibyte @ 5200000 -- 20 % complete 
Erasing 1024 Kibyte @ 5300000 -- 20 % complete 
Erasing 1024 Kibyte @ 5400000 -- 21 % complete 
Erasing 1024 Kibyte @ 5500000 -- 21 % complete 
Erasing 1024 Kibyte @ 5600000 -- 21 % complete 
Erasing 1024 Kibyte @ 5700000 -- 21 % complete 
Erasing 1024 Kibyte @ 5800000 -- 22 % complete 
Erasing 1024 Kibyte @ 5900000 -- 22 % complete 
Erasing 1024 Kibyte @ 5a00000 -- 22 % complete 
Erasing 1024 Kibyte @ 5b00000 -- 22 % complete 
Erasing 1024 Kibyte @ 5c00000 -- 23 % complete 
Erasing 1024 Kibyte @ 5d00000 -- 23 % complete 
Erasing 1024 Kibyte @ 5e00000 -- 23 % complete 
Erasing 1024 Kibyte @ 5f00000 -- 23 % complete 
Erasing 1024 Kibyte @ 6000000 -- 24 % complete 
Erasing 1024 Kibyte @ 6100000 -- 24 % complete 
Erasing 1024 Kibyte @ 6200000 -- 24 % complete 
Erasing 1024 Kibyte @ 6300000 -- 24 % complete 
Erasing 1024 Kibyte @ 6400000 -- 25 % complete 
Erasing 1024 Kibyte @ 6500000 -- 25 % complete 
Erasing 1024 Kibyte @ 6600000 -- 25 % complete 
Erasing 1024 Kibyte @ 6700000 -- 25 % complete 
Erasing 1024 Kibyte @ 6800000 -- 26 % complete 
Erasing 1024 Kibyte @ 6900000 -- 26 % complete 
Erasing 1024 Kibyte @ 6a00000 -- 26 % complete 
Erasing 1024 Kibyte @ 6b00000 -- 26 % complete 
Erasing 1024 Kibyte @ 6c00000 -- 27 % complete 
Erasing 1024 Kibyte @ 6d00000 -- 27 % complete 
Erasing 1024 Kibyte @ 6e00000 -- 27 % complete 
Erasing 1024 Kibyte @ 6f00000 -- 27 % complete 
Erasing 1024 Kibyte @ 7000000 -- 28 % complete 
Erasing 1024 Kibyte @ 7100000 -- 28 % complete 
Erasing 1024 Kibyte @ 7200000 -- 28 % complete 
Erasing 1024 Kibyte @ 7300000 -- 28 % complete 
Erasing 1024 Kibyte @ 7400000 -- 29 % complete 
Erasing 1024 Kibyte @ 7500000 -- 29 % complete 
Erasing 1024 Kibyte @ 7600000 -- 29 % complete 
Erasing 1024 Kibyte @ 7700000 -- 29 % complete 
Erasing 1024 Kibyte @ 7800000 -- 30 % complete 
Erasing 1024 Kibyte @ 7900000 -- 30 % complete 
Erasing 1024 Kibyte @ 7a00000 -- 30 % complete 
Erasing 1024 Kibyte @ 7b00000 -- 30 % complete 
Erasing 1024 Kibyte @ 7c00000 -- 31 % complete 
Erasing 1024 Kibyte @ 7d00000 -- 31 % complete 
Erasing 1024 Kibyte @ 7e00000 -- 31 % complete 
Erasing 1024 Kibyte @ 7f00000 -- 31 % complete 
Erasing 1024 Kibyte @ 8000000 -- 32 % complete 
Erasing 1024 Kibyte @ 8100000 -- 32 % complete 
Erasing 1024 Kibyte @ 8200000 -- 32 % complete 
Erasing 1024 Kibyte @ 8300000 -- 32 % complete 
Erasing 1024 Kibyte @ 8400000 -- 33 % complete 
Erasing 1024 Kibyte @ 8500000 -- 33 % complete 
Erasing 1024 Kibyte @ 8600000 -- 33 % complete 
Erasing 1024 Kibyte @ 8700000 -- 33 % complete 
Erasing 1024 Kibyte @ 8800000 -- 34 % complete 
Erasing 1024 Kibyte @ 8900000 -- 34 % complete 
Erasing 1024 Kibyte @ 8a00000 -- 34 % complete 
Erasing 1024 Kibyte @ 8b00000 -- 34 % complete 
Erasing 1024 Kibyte @ 8c00000 -- 35 % complete 
Erasing 1024 Kibyte @ 8d00000 -- 35 % complete 
Erasing 1024 Kibyte @ 8e00000 -- 35 % complete 
Erasing 1024 Kibyte @ 8f00000 -- 35 % complete 
Erasing 1024 Kibyte @ 9000000 -- 36 % complete 
Erasing 1024 Kibyte @ 9100000 -- 36 % complete 
Erasing 1024 Kibyte @ 9200000 -- 36 % complete 
Erasing 1024 Kibyte @ 9300000 -- 36 % complete 
Erasing 1024 Kibyte @ 9400000 -- 37 % complete 
Erasing 1024 Kibyte @ 9500000 -- 37 % complete 
Erasing 1024 Kibyte @ 9600000 -- 37 % complete 
Erasing 1024 Kibyte @ 9700000 -- 37 % complete 
Erasing 1024 Kibyte @ 9800000 -- 38 % complete 
Erasing 1024 Kibyte @ 9900000 -- 38 % complete 
Erasing 1024 Kibyte @ 9a00000 -- 38 % complete 
Erasing 1024 Kibyte @ 9b00000 -- 38 % complete 
Erasing 1024 Kibyte @ 9c00000 -- 39 % complete 
Erasing 1024 Kibyte @ 9d00000 -- 39 % complete 
Erasing 1024 Kibyte @ 9e00000 -- 39 % complete 
Erasing 1024 Kibyte @ 9f00000 -- 39 % complete 
Erasing 1024 Kibyte @ a000000 -- 40 % complete 
Erasing 1024 Kibyte @ a100000 -- 40 % complete 
Erasing 1024 Kibyte @ a200000 -- 40 % complete 
Erasing 1024 Kibyte @ a300000 -- 40 % complete 
Erasing 1024 Kibyte @ a400000 -- 41 % complete 
Erasing 1024 Kibyte @ a500000 -- 41 % complete 
Erasing 1024 Kibyte @ a600000 -- 41 % complete 
Erasing 1024 Kibyte @ a700000 -- 41 % complete 
Erasing 1024 Kibyte @ a800000 -- 42 % complete 
Erasing 1024 Kibyte @ a900000 -- 42 % complete 
Erasing 1024 Kibyte @ aa00000 -- 42 % complete 
Erasing 1024 Kibyte @ ab00000 -- 42 % complete 
Erasing 1024 Kibyte @ ac00000 -- 43 % complete 
Erasing 1024 Kibyte @ ad00000 -- 43 % complete 
Erasing 1024 Kibyte @ ae00000 -- 43 % complete 
Erasing 1024 Kibyte @ af00000 -- 43 % complete 
Erasing 1024 Kibyte @ b000000 -- 44 % complete 
Erasing 1024 Kibyte @ b100000 -- 44 % complete 
Erasing 1024 Kibyte @ b200000 -- 44 % complete 
Erasing 1024 Kibyte @ b300000 -- 44 % complete 
Erasing 1024 Kibyte @ b400000 -- 45 % complete 
Erasing 1024 Kibyte @ b500000 -- 45 % complete 
Erasing 1024 Kibyte @ b600000 -- 45 % complete 
Erasing 1024 Kibyte @ b700000 -- 45 % complete 
Erasing 1024 Kibyte @ b800000 -- 46 % complete 
Erasing 1024 Kibyte @ b900000 -- 46 % complete 
Erasing 1024 Kibyte @ ba00000 -- 46 % complete 
Erasing 1024 Kibyte @ bb00000 -- 46 % complete 
Erasing 1024 Kibyte @ bc00000 -- 47 % complete 
Erasing 1024 Kibyte @ bd00000 -- 47 % complete 
Erasing 1024 Kibyte @ be00000 -- 47 % complete 
Erasing 1024 Kibyte @ bf00000 -- 47 % complete 
Erasing 1024 Kibyte @ c000000 -- 48 % complete 
Erasing 1024 Kibyte @ c100000 -- 48 % complete 
Erasing 1024 Kibyte @ c200000 -- 48 % complete 
Erasing 1024 Kibyte @ c300000 -- 48 % complete 
Erasing 1024 Kibyte @ c400000 -- 49 % complete 
Erasing 1024 Kibyte @ c500000 -- 49 % complete 
Erasing 1024 Kibyte @ c600000 -- 49 % complete 
Erasing 1024 Kibyte @ c700000 -- 49 % complete 
Erasing 1024 Kibyte @ c800000 -- 50 % complete 
Erasing 1024 Kibyte @ c900000 -- 50 % complete 
Erasing 1024 Kibyte @ ca00000 -- 50 % complete 
Erasing 1024 Kibyte @ cb00000 -- 50 % complete 
Erasing 1024 Kibyte @ cc00000 -- 51 % complete 
Erasing 1024 Kibyte @ cd00000 -- 51 % complete 
Erasing 1024 Kibyte @ ce00000 -- 51 % complete 
Erasing 1024 Kibyte @ cf00000 -- 51 % complete 
Erasing 1024 Kibyte @ d000000 -- 52 % complete 
Erasing 1024 Kibyte @ d100000 -- 52 % complete 
Erasing 1024 Kibyte @ d200000 -- 52 % complete 
Erasing 1024 Kibyte @ d300000 -- 52 % complete 
Erasing 1024 Kibyte @ d400000 -- 53 % complete 
Erasing 1024 Kibyte @ d500000 -- 53 % complete 
Erasing 1024 Kibyte @ d600000 -- 53 % complete 
Erasing 1024 Kibyte @ d700000 -- 53 % complete 
Erasing 1024 Kibyte @ d800000 -- 54 % complete 
Erasing 1024 Kibyte @ d900000 -- 54 % complete 
Erasing 1024 Kibyte @ da00000 -- 54 % complete 
Erasing 1024 Kibyte @ db00000 -- 54 % complete 
Erasing 1024 Kibyte @ dc00000 -- 55 % complete 
Erasing 1024 Kibyte @ dd00000 -- 55 % complete 
Erasing 1024 Kibyte @ de00000 -- 55 % complete 
Erasing 1024 Kibyte @ df00000 -- 55 % complete 
Erasing 1024 Kibyte @ e000000 -- 56 % complete 
Erasing 1024 Kibyte @ e100000 -- 56 % complete 
Erasing 1024 Kibyte @ e200000 -- 56 % complete 
Erasing 1024 Kibyte @ e300000 -- 56 % complete 
Erasing 1024 Kibyte @ e400000 -- 57 % complete 
Erasing 1024 Kibyte @ e500000 -- 57 % complete 
Erasing 1024 Kibyte @ e600000 -- 57 % complete 
Erasing 1024 Kibyte @ e700000 -- 57 % complete 
Erasing 1024 Kibyte @ e800000 -- 58 % complete 
Erasing 1024 Kibyte @ e900000 -- 58 % complete 
Erasing 1024 Kibyte @ ea00000 -- 58 % complete 
Erasing 1024 Kibyte @ eb00000 -- 58 % complete 
Erasing 1024 Kibyte @ ec00000 -- 59 % complete 
Erasing 1024 Kibyte @ ed00000 -- 59 % complete 
Erasing 1024 Kibyte @ ee00000 -- 59 % complete 
Erasing 1024 Kibyte @ ef00000 -- 59 % complete 
Erasing 1024 Kibyte @ f000000 -- 60 % complete 
Erasing 1024 Kibyte @ f100000 -- 60 % complete 
Erasing 1024 Kibyte @ f200000 -- 60 % complete 
Erasing 1024 Kibyte @ f300000 -- 60 % complete 
Erasing 1024 Kibyte @ f400000 -- 61 % complete 
Erasing 1024 Kibyte @ f500000 -- 61 % complete 
Erasing 1024 Kibyte @ f600000 -- 61 % complete 
Erasing 1024 Kibyte @ f700000 -- 61 % complete 
Erasing 1024 Kibyte @ f800000 -- 62 % complete 
Erasing 1024 Kibyte @ f900000 -- 62 % complete 
Erasing 1024 Kibyte @ fa00000 -- 62 % complete 
Erasing 1024 Kibyte @ fb00000 -- 62 % complete 
Erasing 1024 Kibyte @ fc00000 -- 63 % complete 
Erasing 1024 Kibyte @ fd00000 -- 63 % complete 
Erasing 1024 Kibyte @ fe00000 -- 63 % complete 
Erasing 1024 Kibyte @ ff00000 -- 63 % complete 
Erasing 1024 Kibyte @ 10000000 -- 64 % complete 
Erasing 1024 Kibyte @ 10100000 -- 64 % complete 
Erasing 1024 Kibyte @ 10200000 -- 64 % complete 
Erasing 1024 Kibyte @ 10300000 -- 64 % complete 
Erasing 1024 Kibyte @ 10400000 -- 65 % complete 
Erasing 1024 Kibyte @ 10500000 -- 65 % complete 
Erasing 1024 Kibyte @ 10600000 -- 65 % complete 
Erasing 1024 Kibyte @ 10700000 -- 65 % complete 
Erasing 1024 Kibyte @ 10800000 -- 66 % complete 
Erasing 1024 Kibyte @ 10900000 -- 66 % complete 
Erasing 1024 Kibyte @ 10a00000 -- 66 % complete 
Erasing 1024 Kibyte @ 10b00000 -- 66 % complete 
Erasing 1024 Kibyte @ 10c00000 -- 67 % complete 
Erasing 1024 Kibyte @ 10d00000 -- 67 % complete 
Erasing 1024 Kibyte @ 10e00000 -- 67 % complete 
Erasing 1024 Kibyte @ 10f00000 -- 67 % complete 
Erasing 1024 Kibyte @ 11000000 -- 68 % complete 
Erasing 1024 Kibyte @ 11100000 -- 68 % complete 
Erasing 1024 Kibyte @ 11200000 -- 68 % complete 
Erasing 1024 Kibyte @ 11300000 -- 68 % complete 
Erasing 1024 Kibyte @ 11400000 -- 69 % complete 
Erasing 1024 Kibyte @ 11500000 -- 69 % complete 
Erasing 1024 Kibyte @ 11600000 -- 69 % complete 
Erasing 1024 Kibyte @ 11700000 -- 69 % complete 
Erasing 1024 Kibyte @ 11800000 -- 70 % complete 
Erasing 1024 Kibyte @ 11900000 -- 70 % complete 
Erasing 1024 Kibyte @ 11a00000 -- 70 % complete 
Erasing 1024 Kibyte @ 11b00000 -- 70 % complete 
Erasing 1024 Kibyte @ 11c00000 -- 71 % complete 
Erasing 1024 Kibyte @ 11d00000 -- 71 % complete 
Erasing 1024 Kibyte @ 11e00000 -- 71 % complete 
Erasing 1024 Kibyte @ 11f00000 -- 71 % complete 
Erasing 1024 Kibyte @ 12000000 -- 72 % complete 
Erasing 1024 Kibyte @ 12100000 -- 72 % complete 
Erasing 1024 Kibyte @ 12200000 -- 72 % complete 
Erasing 1024 Kibyte @ 12300000 -- 72 % complete 
Erasing 1024 Kibyte @ 12400000 -- 73 % complete 
Erasing 1024 Kibyte @ 12500000 -- 73 % complete 
Erasing 1024 Kibyte @ 12600000 -- 73 % complete 
Erasing 1024 Kibyte @ 12700000 -- 73 % complete 
Erasing 1024 Kibyte @ 12800000 -- 74 % complete 
Erasing 1024 Kibyte @ 12900000 -- 74 % complete 
Erasing 1024 Kibyte @ 12a00000 -- 74 % complete 
Erasing 1024 Kibyte @ 12b00000 -- 74 % complete 
Erasing 1024 Kibyte @ 12c00000 -- 75 % complete 
Erasing 1024 Kibyte @ 12d00000 -- 75 % complete 
Erasing 1024 Kibyte @ 12e00000 -- 75 % complete 
Erasing 1024 Kibyte @ 12f00000 -- 75 % complete 
Erasing 1024 Kibyte @ 13000000 -- 76 % complete 
Erasing 1024 Kibyte @ 13100000 -- 76 % complete 
Erasing 1024 Kibyte @ 13200000 -- 76 % complete 
Erasing 1024 Kibyte @ 13300000 -- 76 % complete 
Erasing 1024 Kibyte @ 13400000 -- 77 % complete 
Erasing 1024 Kibyte @ 13500000 -- 77 % complete 
Erasing 1024 Kibyte @ 13600000 -- 77 % complete 
Erasing 1024 Kibyte @ 13700000 -- 77 % complete 
Erasing 1024 Kibyte @ 13800000 -- 78 % complete 
Erasing 1024 Kibyte @ 13900000 -- 78 % complete 
Erasing 1024 Kibyte @ 13a00000 -- 78 % complete 
Erasing 1024 Kibyte @ 13b00000 -- 78 % complete 
Erasing 1024 Kibyte @ 13c00000 -- 79 % complete 
Erasing 1024 Kibyte @ 13d00000 -- 79 % complete 
Erasing 1024 Kibyte @ 13e00000 -- 79 % complete 
Erasing 1024 Kibyte @ 13f00000 -- 79 % complete 
Erasing 1024 Kibyte @ 14000000 -- 80 % complete 
Erasing 1024 Kibyte @ 14100000 -- 80 % complete 
Erasing 1024 Kibyte @ 14200000 -- 80 % complete 
Erasing 1024 Kibyte @ 14300000 -- 80 % complete 
Erasing 1024 Kibyte @ 14400000 -- 81 % complete 
Erasing 1024 Kibyte @ 14500000 -- 81 % complete 
Erasing 1024 Kibyte @ 14600000 -- 81 % complete 
Erasing 1024 Kibyte @ 14700000 -- 81 % complete 
Erasing 1024 Kibyte @ 14800000 -- 82 % complete 
Erasing 1024 Kibyte @ 14900000 -- 82 % complete 
Erasing 1024 Kibyte @ 14a00000 -- 82 % complete 
Erasing 1024 Kibyte @ 14b00000 -- 82 % complete 
Erasing 1024 Kibyte @ 14c00000 -- 83 % complete 
Erasing 1024 Kibyte @ 14d00000 -- 83 % complete 
Erasing 1024 Kibyte @ 14e00000 -- 83 % complete 
Erasing 1024 Kibyte @ 14f00000 -- 83 % complete 
Erasing 1024 Kibyte @ 15000000 -- 84 % complete 
Erasing 1024 Kibyte @ 15100000 -- 84 % complete 
Erasing 1024 Kibyte @ 15200000 -- 84 % complete 
Erasing 1024 Kibyte @ 15300000 -- 84 % complete 
Erasing 1024 Kibyte @ 15400000 -- 85 % complete 
Erasing 1024 Kibyte @ 15500000 -- 85 % complete 
Erasing 1024 Kibyte @ 15600000 -- 85 % complete 
Erasing 1024 Kibyte @ 15700000 -- 85 % complete 
Erasing 1024 Kibyte @ 15800000 -- 86 % complete 
Erasing 1024 Kibyte @ 15900000 -- 86 % complete 
Erasing 1024 Kibyte @ 15a00000 -- 86 % complete 
Erasing 1024 Kibyte @ 15b00000 -- 86 % complete 
Erasing 1024 Kibyte @ 15c00000 -- 87 % complete 
Erasing 1024 Kibyte @ 15d00000 -- 87 % complete 
Erasing 1024 Kibyte @ 15e00000 -- 87 % complete 
Erasing 1024 Kibyte @ 15f00000 -- 87 % complete 
Erasing 1024 Kibyte @ 16000000 -- 88 % complete 
Erasing 1024 Kibyte @ 16100000 -- 88 % complete 
Erasing 1024 Kibyte @ 16200000 -- 88 % complete 
Erasing 1024 Kibyte @ 16300000 -- 88 % complete 
Erasing 1024 Kibyte @ 16400000 -- 89 % complete 
Erasing 1024 Kibyte @ 16500000 -- 89 % complete 
Erasing 1024 Kibyte @ 16600000 -- 89 % complete 
Erasing 1024 Kibyte @ 16700000 -- 89 % complete 
Erasing 1024 Kibyte @ 16800000 -- 90 % complete 
Erasing 1024 Kibyte @ 16900000 -- 90 % complete 
Erasing 1024 Kibyte @ 16a00000 -- 90 % complete 
Erasing 1024 Kibyte @ 16b00000 -- 90 % complete 
Erasing 1024 Kibyte @ 16c00000 -- 91 % complete 
Erasing 1024 Kibyte @ 16d00000 -- 91 % complete 
Erasing 1024 Kibyte @ 16e00000 -- 91 % complete 
Erasing 1024 Kibyte @ 16f00000 -- 91 % complete 
Erasing 1024 Kibyte @ 17000000 -- 92 % complete 
Erasing 1024 Kibyte @ 17100000 -- 92 % complete 
Erasing 1024 Kibyte @ 17200000 -- 92 % complete 
Erasing 1024 Kibyte @ 17300000 -- 92 % complete 
Erasing 1024 Kibyte @ 17400000 -- 93 % complete 
Erasing 1024 Kibyte @ 17500000 -- 93 % complete 
Erasing 1024 Kibyte @ 17600000 -- 93 % complete 
Erasing 1024 Kibyte @ 17700000 -- 93 % complete 
Erasing 1024 Kibyte @ 17800000 -- 94 % complete 
Erasing 1024 Kibyte @ 17900000 -- 94 % complete 
Erasing 1024 Kibyte @ 17a00000 -- 94 % complete 
Erasing 1024 Kibyte @ 17b00000 -- 94 % complete 
Erasing 1024 Kibyte @ 17c00000 -- 95 % complete 
Erasing 1024 Kibyte @ 17d00000 -- 95 % complete 
Erasing 1024 Kibyte @ 17e00000 -- 95 % complete 
Erasing 1024 Kibyte @ 17f00000 -- 95 % complete 
Erasing 1024 Kibyte @ 18000000 -- 96 % complete 
Erasing 1024 Kibyte @ 18100000 -- 96 % complete 
Erasing 1024 Kibyte @ 18200000 -- 96 % complete 
Erasing 1024 Kibyte @ 18300000 -- 96 % complete 
Erasing 1024 Kibyte @ 18400000 -- 97 % complete 
Erasing 1024 Kibyte @ 18500000 -- 97 % complete 
Erasing 1024 Kibyte @ 18600000 -- 97 % complete 
Erasing 1024 Kibyte @ 18700000 -- 97 % complete 
Erasing 1024 Kibyte @ 18800000 -- 98 % complete 
Erasing 1024 Kibyte @ 18900000 -- 98 % complete 
Erasing 1024 Kibyte @ 18a00000 -- 98 % complete 
Erasing 1024 Kibyte @ 18b00000 -- 98 % complete 
Erasing 1024 Kibyte @ 18c00000 -- 99 % complete 
Erasing 1024 Kibyte @ 18d00000 -- 99 % complete 
Erasing 1024 Kibyte @ 18e00000 -- 99 % complete 
Erasing 1024 Kibyte @ 18f00000 -- 99 % complete 
Erasing 1024 Kibyte @ 18f00000 -- 100 % complete 
+ /sbin/nandwrite -p /dev/mtd/mtd3 /tmp/1/Chromecast-Rooted-System-GTVHacker-cj_000-July27-635PM.bin
/tmp/1/Chromecast-Rooted-System-GTVHacker-cj_000-July27-635PM.bin: No such file or directory
Data was only partially written due to error
: Invalid argument
+ busybox rm -rf /data/bootid /data/chrome /data/lost+found /data/minidumps /data/netflix /data/property /data/share /data/sntpd /data/updater /data/watchdog /data/widevine /data/wifi
rm: cannot remove '/data/lost+found': Directory not empty
+ cp /tmp/log /tmp/1/

2 bad blocks? On my CC or the flash drive? Any ideas?
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    Update

    Since this thread seems to have become quite popular, I thought I'd update it to give people all the newest information in one place.

    Since I've made this post, there has been another OTA (build 12940) that improves bootloader security even further and prevents some potential root methods which were being developed for 12840. As of now, neither build 12840, build 12940, nor build 13300 has a published root method. New units have the patched bootloader preloaded from the factory and are not rootable. If you buy a unit at this point, there is a good chance that you will get one that is patched. (EDIT 2013-10-22: People are reporting that units they have purchased from Best Buy and Amazon are still running the vulnerable build. It is unclear if this is simply old stock or if there are still vulnerable units being produced.)

    As for the methods described below, they cannot be performed through a shell (i.e. telnet) since the root filesystem is formatted as squashfs, which is read-only. Instead, the root images must be manually repacked for each OTA and flashed using a USB drive with an image such as FlashCast. @ddggttff3 maintains a FlashCast mod to update Chromecasts to the latest firmware without losing root, which can be found here.

    For those of you who have managed to keep your vulnerable bootloaders, keep your eyes out. There should be some very cool releases in the near future.

    Original post

    As can be seen in this commit to Google's Chromecast source mirror, firmware version 1.1 adds a check for the result of image verification on line 755. This check will cause GTVHacker's USB image to fail to boot, and you will not be able to obtain root. Even if another root exploit is found, it seems very unlikely that it will be as clean or simple as the one which exists now, which simply uses version 0.7's unlocked bootloader to flash a new system image.

    Unfortunately, I don't have a Chromecast to test on, so I cannot recommend a method of disabling OTAs. However, from looking at the system image, there are a few possibilities I see. THE FOLLOWING METHODS ARE UNTESTED AND ARE NOT GUARANTEED TO WORK OR LEAVE YOUR CHROMECAST IN A WORKING STATE. PERFORM THEM AT YOUR OWN RISK.

    After telnetting into your rooted Chromecast or otherwise obtaining a root shell, you can try these two possible methods
    1. Rename otacerts.zip to otacerts.zip.bak in /system/etc/security/. This may remove the OTA signing keys and cause the Chromecast to reject any OTAs. However, I do not know whether this file is actually used or whether is simply a remnant from Chromecast's Android base.
    2. Replace /chrome/update_engine with an empty, executable, shell script (make sure to make a backup copy first). I am very unsure of this method, since it is simply going off the name of the update_engine binary. If update_engine happens to perform some task core to the system, doing this will leave your device in an unusable state. If this happens, simply re-rooting using GTVHacker's USB image should restore your system to how it was.

    Again, I am not responsible for any bricked Chromecasts which may result from attempting this. If you do try either method, please report whether or not it appeared to work or have any ill effects.
    7
    Remember my bricked chromecast? I found a way to force it to load from USB. This involves opening the device, and jumping 2 pins at a select time, and UART but check the following boot log:

    http://pastebin.com/xHScat0T

    I don't know if this would allow circumventing the locked bootloader , but it might be a recovery option for people with bricks.

    EDIT: No longer have a bricked chromecast! :) Will post details in a bit for those who may be interested, or for future reference.

    EDIT2: Thread Here: http://xdaforums.com/showthread.php?t=2438715
    6
    In the interim, is this still an effective way to keep it from updating? I unplugged mine this morning before I went to work and I'm heading home. Just trying to figure out a way to still be able to use it without it updating.

    Just checked again, it still trys to download an OTA.zip file so best thing is to either not use it, or keep an eye on it :/

    i'll go ahead and upload the image thats lacking update_engine

    later i'll upload a build with a modified recovery image. fiancee is missing me. I've spent too much time on this for now.

    ---------- Post added at 08:45 PM ---------- Previous post was at 08:11 PM ----------

    https://dl.dropboxusercontent.com/u/19978192/gtvhacker-chromecast.bin.gz

    this has update_engine replaced by a dummy script. this should kill ota updates, but it might not. again, provided as-is, no warranty, your problem if it breaks, yada yada.

    I'll work on this crap more tomorrow.
    4
    Thanks. That would be great. I managed to decompress the kernel but still couldn't find the RAM disk with your script. I also managed to compile the chromecast kernel from source. I may keep plugging away at figuring this out until you are able to get to it yourself.

    Well if you compiled it yourself, you are nearly there. Quick overview of what we had to do:

    /arch/arm/mach-mv88de3100/mv88de31xx_android.c , start setting partitions to RW in there, also disable any of the recovery boot options, and you may want to alter the command line in there (if not, arch/arm/kernel/setup.c)

    When you build (what I did) was set CONFIG_INITRAMFS / CONFIG_INITRAMFS_SOURCE for your ramdisk, and pull the stock kernel ramdisk, and do some mods to it. Then point the INITRAMFS_SOURCE to where you modified the kernel ramdisk.

    Hopefully that will help some, still been meaning to push our modded kernel source, but haven't had the time.
    4
    Someone get me a copy of the new update, and ill make a rooted image.

    We need to find a bootloader exploit

    Sent from my Evo V 4G using Tapatalk 2