[ROOT] HubCap Chromecast Root Release!

Search This thread
By:
Advanced…
Team-Eureka

Team-Eureka

Senior Member
Dec 30, 2013
105
318
www.team-eureka.com
Dear XDA Users,

We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).

Requirements


Instructions

  1. Install the appropriate Teensy Root Package on your device.
    • If New In Box device, use 12940 otherwise use 16664.
    • Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
  2. Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
  3. Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
    • The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
  4. Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
    • If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
  5. After about 5 minutes, the Chromecast should reboot and your device should now be rooted!

Having Problems?

  • “I am using a USB hub with a OTG cable, why is it not working?”
    • This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
  • “How can I tell if the root is running?”
    • If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.

Created By

@fail0verflow
@gtvhacker
@Dev_Team_Eureka

Shoutouts

Google Inc. - Thanks for the awesome device, now add fastboot support
XDA-Developers - For being the home of Chromecast Development

Download

Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip


Source:
GitHub: https://github.com/axoltl/HubCap
 
Last edited:
  • Like
Reactions: govinda1988, Xphazer, LuCkyCn and 110 others
psouza4

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
857
Meridian, ID
www.PeterSouza.com
Brilliant -- working through the steps now!

One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list. :D

UPDATE: worked like a charm!
rooted.jpg


The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around. ;)

Thanks again for all your work, guys!
 
Last edited:
  • Like
Reactions: cmbaughman, RiceDie, Valerio191 and 4 others
FusionX

FusionX

Senior Member
Nov 15, 2008
669
158
NY
Awesome, thanks! Downloading now and will update!

Edit: flawless victory! Rooted 2 CC, one new in box and the other on latest firmware. Great work! Can't wait to see the source to understand how the exploit took place.
 
Last edited:
A

Asphyx

Senior Member
Dec 19, 2007
2,158
378
Android Wear
Google Pixel Watch
Yea! I have a rooted CCast....

Just a note for Windows users who use win32mage....the flashcast image doesn't show using the browse because it's a BIN not an IMG file...
Just remove the file filter to *.* to see the proper image to burn to the USB Jump Drive.
 
psouza4

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
857
Meridian, ID
www.PeterSouza.com
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?
 
FusionX

FusionX

Senior Member
Nov 15, 2008
669
158
NY
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?
Click to expand...
Click to collapse

Not sure but one of the ones I just rooted was 37*** that was on the latest ota.

I used the 16664 with a 2++

Sent from my 831C using Tapatalk
 
  • Like
Reactions: frome901
ddggttff3

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
815
1,543
Minnesota
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?
Click to expand...
Click to collapse

The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
 
bunchies

bunchies

Senior Member
Dec 30, 2012
2,014
1,942
Land of Ooo
Awesome! ill keep my chromecast off the Internets till i get the board :good:
they have it on adafruit which is where i got my pi and adruino stuff
 
psouza4

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
857
Meridian, ID
www.PeterSouza.com
ddggttff3 said:
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
Click to expand...
Click to collapse
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.

Thanks!
 
A

Asphyx

Senior Member
Dec 19, 2007
2,158
378
Android Wear
Google Pixel Watch
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?
Click to expand...
Click to collapse

I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
 
psouza4

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
857
Meridian, ID
www.PeterSouza.com
Asphyx said:
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
Click to expand...
Click to collapse

This is already resolved (posted above): I had forgotten to hit the button a second time for the flash drive payload.
 
R

reiteravi

Senior Member
Feb 14, 2007
373
36
i have a unopened 39xxxxxx
should i update it to 16664+ b4 rooting
don't know the version it comes with
 
You must log in or register to reply here.

Similar threads

trainriderben
Streaming XBMC to Chromecast
Replies
282
Views
448K
P
punkmexic
bhiga
  • Sticky
[FAQ] Chromecast Frequently Asked Questions
Replies
282
Views
370K
T
taken21
varun.c.jain
[HOWTO] Chromecast/Netflix outside USA without VPN
Replies
555
Views
419K
D
Danny94
tchebb
  • Sticky
[FLASHER] [v1.3 - 2014-07-07] FlashCast: Quickly and easily mod your Chromecast
Replies
621
Views
462K
templefugate
templefugate
benkxda
  • Locked
[INDEX] Google Chromecast [06 Feb 2017]
Replies
174
Views
293K
benkxda
benkxda

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 113
    Team-Eureka
    Team-Eureka
    Dear XDA Users,

    We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).

    Requirements


    Instructions

    1. Install the appropriate Teensy Root Package on your device.
      • If New In Box device, use 12940 otherwise use 16664.
      • Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
    2. Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
    3. Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
      • The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
    4. Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
      • If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
    5. After about 5 minutes, the Chromecast should reboot and your device should now be rooted!

    Having Problems?

    • “I am using a USB hub with a OTG cable, why is it not working?”
      • This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
    • “How can I tell if the root is running?”
      • If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.

    Created By

    @fail0verflow
    @gtvhacker
    @Dev_Team_Eureka

    Shoutouts

    Google Inc. - Thanks for the awesome device, now add fastboot support
    XDA-Developers - For being the home of Chromecast Development

    Download

    Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
    Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip


    Source:
    GitHub: https://github.com/axoltl/HubCap
    View
    10
    ddggttff3
    ddggttff3
    HEADS UP: Seems that google HAS PATCHED the HubCap exploit in the latest OTA (19084), but did not post the source for it (to keep us guessing?). Please avoid this OTA if you want root!
    View
    9
    ddggttff3
    ddggttff3
    If anyone is interested in the writeup for this exploit.

    https://fail0verflow.com/blog/2014/hubcap-chromecast-root-pt1.html
    View
    8
    E
    elborak
    FirmShark said:
    I am running 17977 firmware. The micro is verified as a usb hub and has been flashed with the correct file.
    Click to expand...
    Click to collapse

    So you're past step 2:
    1. Get all the needed hardware (compatible board & USB OTG cable with power).
    2. Get it flashed correctly with the right version hex file.
    3. Get the Chromecast to load the exploit payload.
    4. Load Eureka to the Chromecast from your flash drive.

    Here's a hex file compiled for the Leonardo/Micro, firmware >= 16664. Give this a try. It shouldn't magically make things work, but it should let you know that you've got the timing right for step 3. The only tricky part I noted was getting the timing right on when to release the CC button. Too early, and it goes to blinking white. For me, what worked was releasing it just after the CC turned red, but it took a few minutes of trial & error.
    View
    7
    psouza4
    psouza4
    Brilliant -- working through the steps now!

    One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list. :D

    UPDATE: worked like a charm!
    rooted.jpg


    The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around. ;)

    Thanks again for all your work, guys!
    View

New posts