Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,740,354 Members 44,095 Now Online
XDA Developers Android and Mobile Development Forum

PSA: The new OTA (build 12840) patches the bootloader exploit used to obtain root

Tip us?
 
tchebb
Old
(Last edited by tchebb; 22nd October 2013 at 10:06 PM.) Reason: Add information about vulnerable units
#1  
Senior Member - OP
Thanks Meter 206
Posts: 184
Join Date: Jul 2010
Location: Waltham, MA
Default PSA: The new OTA (build 12840) patches the bootloader exploit used to obtain root

Update

Since this thread seems to have become quite popular, I thought I'd update it to give people all the newest information in one place.

Since I've made this post, there has been another OTA (build 12940) that improves bootloader security even further and prevents some potential root methods which were being developed for 12840. As of now, neither build 12840, build 12940, nor build 13300 has a published root method. New units have the patched bootloader preloaded from the factory and are not rootable. If you buy a unit at this point, there is a good chance that you will get one that is patched. (EDIT 2013-10-22: People are reporting that units they have purchased from Best Buy and Amazon are still running the vulnerable build. It is unclear if this is simply old stock or if there are still vulnerable units being produced.)

As for the methods described below, they cannot be performed through a shell (i.e. telnet) since the root filesystem is formatted as squashfs, which is read-only. Instead, the root images must be manually repacked for each OTA and flashed using a USB drive with an image such as FlashCast. @ddggttff3 maintains a FlashCast mod to update Chromecasts to the latest firmware without losing root, which can be found here.

For those of you who have managed to keep your vulnerable bootloaders, keep your eyes out. There should be some very cool releases in the near future.

Original post

As can be seen in this commit to Google's Chromecast source mirror, firmware version 1.1 adds a check for the result of image verification on line 755. This check will cause GTVHacker's USB image to fail to boot, and you will not be able to obtain root. Even if another root exploit is found, it seems very unlikely that it will be as clean or simple as the one which exists now, which simply uses version 0.7's unlocked bootloader to flash a new system image.

Unfortunately, I don't have a Chromecast to test on, so I cannot recommend a method of disabling OTAs. However, from looking at the system image, there are a few possibilities I see. THE FOLLOWING METHODS ARE UNTESTED AND ARE NOT GUARANTEED TO WORK OR LEAVE YOUR CHROMECAST IN A WORKING STATE. PERFORM THEM AT YOUR OWN RISK.

After telnetting into your rooted Chromecast or otherwise obtaining a root shell, you can try these two possible methods
  1. Rename otacerts.zip to otacerts.zip.bak in /system/etc/security/. This may remove the OTA signing keys and cause the Chromecast to reject any OTAs. However, I do not know whether this file is actually used or whether is simply a remnant from Chromecast's Android base.
  2. Replace /chrome/update_engine with an empty, executable, shell script (make sure to make a backup copy first). I am very unsure of this method, since it is simply going off the name of the update_engine binary. If update_engine happens to perform some task core to the system, doing this will leave your device in an unusable state. If this happens, simply re-rooting using GTVHacker's USB image should restore your system to how it was.

Again, I am not responsible for any bricked Chromecasts which may result from attempting this. If you do try either method, please report whether or not it appeared to work or have any ill effects.
The Following 11 Users Say Thank You to tchebb For This Useful Post: [ Click to Expand ]
 
xuser
Old
#2  
xuser's Avatar
Senior Member
Thanks Meter 188
Posts: 831
Join Date: Jan 2007
Location: San Diego
Any idea when they'll push the update?
Samsung Galaxy S4 Sprint
ROM: CM 11 Unofficial 4.4
Kernel: KT-SGS4 4.4

Asus Transformer TF101
ROM: KatKiss #028 4.3.1
Kernel: KatKernel #18
 
tchebb
Old
#3  
Senior Member - OP
Thanks Meter 206
Posts: 184
Join Date: Jul 2010
Location: Waltham, MA
Quote:
Originally Posted by xuser View Post
Any idea when they'll push the update?
According to Google, it's rolling out now.
 
ddggttff3
Old
#4  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 886
Posts: 665
Join Date: Dec 2009
Location: Twin Cities, MN
Thanks for this, just checked my unit, which is still on the old version. Am waiting for my cable to get here so I can root it, so glad I caught it before it updated!
Devices:
OnePlus One
Nexus 7 2013
Samsung Note 10.1
Too Many Chromecasts

Retired:
Nexus 5, Nexus Q, GS3, Droid Bionic, N7 2012, Droid X, HTC Vogue
 
joshw0000
Old
#5  
joshw0000's Avatar
Senior Member
Thanks Meter 422
Posts: 3,169
Join Date: Jun 2010
Looks like the update will be automatic and my Chromecast is plugged up at home (connected to wifi). Hope it doesn't get pushed today. My powered USB OTG cable hasn't arrived yet so I can't even root it ATM.

Sent from my GT-N5110 using Xparent Green Tapatalk 2
 
paperWastage
Old
#6  
Senior Member
Thanks Meter 361
Posts: 744
Join Date: Mar 2009
Location: NJ
Quote:
Originally Posted by joshw0000 View Post
Looks like the update will be automatic and my Chromecast is plugged up at home (connected to wifi). Hope it doesn't get pushed today. My powered USB OTG cable hasn't arrived yet so I can't even root it ATM.

Sent from my GT-N5110 using Xparent Green Tapatalk 2

find out the server name/ip for the OTA update, block it on your router
Current Device:
Oppo Find 5 - experimental kernel
 
supernova_00
Old
#7  
Senior Member
Thanks Meter 46
Posts: 283
Join Date: Feb 2012
Location: Aberdeen, MD
Quote:
Originally Posted by paperWastage View Post
find out the server name/ip for the OTA update, block it on your router
Here are the URLs:
Stable channel updates http://goo.gl/3yy01K
Beta channel updates http://goo.gl/53l5sA
Dev channel updates http://goo.gl/JVkHhl

Weird...when I just loaded those, the stable channel has the highest build number. Stable is at 12840 (which is the update that is rolling out now), Beta is at 12726, Dev is at 12819
 
joshw0000
Old
#8  
joshw0000's Avatar
Senior Member
Thanks Meter 422
Posts: 3,169
Join Date: Jun 2010
Quote:
Originally Posted by paperWastage View Post
find out the server name/ip for the OTA update, block it on your router
I wont be home until later tonight.

Sent from my GT-N5110 using Xparent Green Tapatalk 2
 
tvall
Old
(Last edited by tvall; 1st August 2013 at 04:17 PM.)
#9  
tvall's Avatar
Senior Member
Thanks Meter 797
Posts: 2,183
Join Date: Oct 2010
Location: Springfield
also, i'd assume replacing /boot/recovery.img with a custom recovery or just removing it would also prevent updates. not sure though, I also don't have a chromecast.

also, if you are feeling adventurous, try this: http://db.tt/Ja1XBNgH. if it works, you'll have the latest software, root, and no updated bootloader. if it doesn't work, you might be able to recover by using gtvhacker's image. no promises though, since I don't own a chromecast, I cant test it. Don't blame me if your chromecast quits working, explodes, kills your puppy, or hands north korea some working nukes.

@xuser your signature made me think there was an actual bug on my screen. I tried to kill it, but it ignored my attempts and kept crawling around under the glass
my work
optimus v:
iho magpie

dream/sapphire:
DREAMTeam Froyo, United ICS, and tvall's cm7

misc:
the first chromecast system image without bootloader updates or auto updating - obsolete

If you'd like to donate to me, i accept bitcoins and electronics
BTC - 1titsVyrUw8pGEDF6Jqdh56cZjBRYAQjQ
The Following 2 Users Say Thank You to tvall For This Useful Post: [ Click to Expand ]
 
Jason_V
Old
(Last edited by Jason_V; 1st August 2013 at 08:00 PM.) Reason: Removed for stupidity on my part
#10  
Jason_V's Avatar
Senior Member
Thanks Meter 8
Posts: 145
Join Date: Jan 2008
[removed]
_________________________________________
Nexus 4 16GB
ROM: Stock 4.4.2 - Rooted

Nexus 7 (2013) 32GB LTE
CARRIER: T-Mobile LTE
ROM: Stock 4.4.2 - Rooted

Chromecast

Transformer TF101 16GB Wi-Fi
ROM: No-name CM10.2 nightlies

Other Android devices in-use by family:
* Nexus 7 (2013) 16GB Wi-Fi (x2)
* HTC One
* HTC One S
* Dell XPS 10 - Wifi
* HTC Sensation 4G

Previous Android devices
Nexus 7, G2x (LG-P999), Dell Streak 7 -WiFi, MT3G, Optimus T, MT3G Slide

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes