TL;DR: DON'T DO WHAT I DID.
So, I started with this:
gdude said:
My Chromecast updated after the Autoroot and I got stuck at the "Chromecast..." screen. No luck using Flashcash or Hubcap, even when I dragged out my old Teensy 2.0 and tried at least a dozen times to get it to take. I was close to giving up and assuming my Chromecast was cooked.
Then I tried a long-shot idea described elsewhere on this thread: power up and down fast many times, and eventually I got into recovery with the Flashcast logo on screen. I was able to ssh into the recovery partition, and then…
However, what I did then instead was this:
Code:
[root@flashcast ~]# cat /dev/mtd2ro > /tmp/mtd2ro
Laptop:
Code:
$ scp root@chromecast:/tmp/mtd2ro .
Welcome to FlashCast version 1.3!
root@chromecast's password:
mtd2ro 100% 16MB 1.8MB/s 00:09
$ dd bs=1 skip=256 if=mtd2ro of=mtd2ro.raw
16776960+0 records in
16776960+0 records out
16776960 bytes (17 MB) copied, 34.7652 s, 483 kB/s
$ abootimg -i mtd2ro.raw
Android Boot Image Info:
* file name = mtd2ro.raw
* image size = 16776960 bytes (16.00 MB)
page size = 2048 bytes
* Boot Name = ""
* kernel size = 2021612 bytes (1.93 MB)
ramdisk size = 1580304 bytes (1.51 MB)
* load addresses:
kernel: 0x00608000
ramdisk: 0x01600000
tags: 0x00600100
* cmdline = init=/init console= mtdblock.ro_fspart="rootfs" ro nooverlayfs
* id = 0x48a1f96a 0x908be401 0x85d4c47d 0xfa540415 0xe42f1e3f 0x00000000 0x00000000 0x00000000
$ abootimg -x mtd2ro.raw
writing boot image config in bootimg.cfg
extracting kernel in zImage
extracting ramdisk in initrd.img
$ mkdir initrd
$ cd initrd/
$ xzcat ../initrd.img |cpio -vid
app.conf
bin
boot
build.prop
chrome
data
default.prop
dev
dmtable
etc
home
init
init.rc
lib
lib/firmware
lib/firmware/mrvl
lib/firmware/mrvl/sd8787_uapsta.bin
lib/ld-2.23.so
lib/ld-linux-armhf.so.3
lib/libc++.so
lib/libc++.so.1
lib/libc++.so.1.0
lib/libc++abi.so
lib/libc++abi.so.1
lib/libc++abi.so.1.0
lib/libc-2.23.so
lib/libc.so.6
lib/libc_stubs.so
lib/libcrypt-2.23.so
lib/libcrypt.so.1
lib/libcxxrt.so
lib/libcxxrt.so.1
lib/libdl-2.23.so
lib/libdl.so.2
lib/libgcc_s.so.1
lib/libglibc_bridge.so
lib/liblog.so
lib/libm-2.23.so
lib/libm.so.6
lib/libnsl-2.23.so
lib/libnsl.so.1
lib/libnss_compat-2.23.so
lib/libnss_compat.so.2
lib/libnss_dns-2.23.so
lib/libnss_dns.so.2
lib/libnss_files-2.23.so
lib/libnss_files.so.2
lib/libpthread-2.23.so
lib/libpthread.so.0
lib/libresolv-2.23.so
lib/libresolv.so.2
lib/librt-2.23.so
lib/librt.so.1
lib/libutil-2.23.so
lib/libutil.so.1
netflix
oem_cast_shlib
proc
res
sbin
sbin/bluetooth_setup.sh
sbin/boot_complete.sh
sbin/build_info.sh
sbin/collectd_setup.sh
sbin/coredump.sh
sbin/dmsetup
sbin/flash_recovery.sh
sbin/font_setup.sh
sbin/init
sbin/init_properties
sbin/led_feedback.sh
sbin/mount_usb_drive.sh
sbin/netflix_setup.sh
sbin/network_service.sh
sbin/playready_device_id_reset.sh
sbin/retail_demo_reboot.sh
sbin/retail_usb_flash.sh
sbin/ueventd
sbin/update_bootid_and_urandom.sh
sbin/update_engine_prefs_fixup.sh
sbin/watchdog_setup.sh
sbin/wpa_supplicant_setup.sh
sys
system
system/etc
system/etc/ld.so.preload
tmp
ueventd.eureka-b1.rc
ueventd.eureka-b2.rc
ueventd.eureka-b3.rc
ueventd.rc
usr
xbin
6993 blocks
$ vi init.rc
Commented out the lines "exec /sbin/dmsetup create system -r /dmtable" and "mount squashfs /dev/mapper/system /system ro nodev noatime" with "mount squashfs mtd@rootfs /system ro nodev noatime" inserted in their place, and also commented out the "start process_monitor" line, like
@morchu said.
Code:
$ find .|cpio --create --format='newc'|xz > ../myinitrd.img
6994 blocks
$ cd ..
$ abootimg --create myboot.img -f bootimg.cfg -k zImage -r myinitrd.img
reading config file bootimg.cfg
reading kernel from zImage
reading ramdisk from myinitrd.img
Writing Boot Image myboot.img
$ dd of=mtd2ro bs=1 seek=256 if=myboot.img
16776960+0 records in
16776960+0 records out
16776960 bytes (17 MB) copied, 34.5113 s, 486 kB/s
$ scp mtd2ro root@chromecast:/tmp/
Welcome to FlashCast version 1.3!
root@chromecast's password:
mtd2ro 100% 16MB 963.8KB/s 00:17
Chromecast:
Code:
[root@flashcast ~]# flash_mtd_partition kernel /tmp/mtd2ro
Flashing /tmp/mtd2ro to kernel (mtd2)
[root@flashcast ~]# sync
[root@flashcast ~]# sync
[root@flashcast ~]# reboot
[root@flashcast ~]# Connection to chromecast closed.
From that point forward, applying power has no effect except a solid white LED. I don't know exactly where I went wrong, nor what to do now. So, I opened the case and found the UART pinout. Without soldering anything, I held pins to the Tx and GND pads and got no output on power-on. I do have an STM32F3 Discovery board, which apparently can somehow be used to interface with the NAND chip externally, but I haven't found further instructions for such a thing on a hardware level. Thoughts? Attached is the resulting file I flashed, but bzipped.
P.S. - I didn't think it mattered, but before I rebooted it to a brick, out of curiosity, I mounted and unmounted as yaffs2 mtdblock's 4, 5, 9, and 11.