• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

PSA: The new OTA (build 12840) patches the bootloader exploit used to obtain root

Search This thread

tchebb

Inactive Recognized Developer
Jul 28, 2010
189
241
Waltham, MA
Update

Since this thread seems to have become quite popular, I thought I'd update it to give people all the newest information in one place.

Since I've made this post, there has been another OTA (build 12940) that improves bootloader security even further and prevents some potential root methods which were being developed for 12840. As of now, neither build 12840, build 12940, nor build 13300 has a published root method. New units have the patched bootloader preloaded from the factory and are not rootable. If you buy a unit at this point, there is a good chance that you will get one that is patched. (EDIT 2013-10-22: People are reporting that units they have purchased from Best Buy and Amazon are still running the vulnerable build. It is unclear if this is simply old stock or if there are still vulnerable units being produced.)

As for the methods described below, they cannot be performed through a shell (i.e. telnet) since the root filesystem is formatted as squashfs, which is read-only. Instead, the root images must be manually repacked for each OTA and flashed using a USB drive with an image such as FlashCast. @ddggttff3 maintains a FlashCast mod to update Chromecasts to the latest firmware without losing root, which can be found here.

For those of you who have managed to keep your vulnerable bootloaders, keep your eyes out. There should be some very cool releases in the near future.

Original post

As can be seen in this commit to Google's Chromecast source mirror, firmware version 1.1 adds a check for the result of image verification on line 755. This check will cause GTVHacker's USB image to fail to boot, and you will not be able to obtain root. Even if another root exploit is found, it seems very unlikely that it will be as clean or simple as the one which exists now, which simply uses version 0.7's unlocked bootloader to flash a new system image.

Unfortunately, I don't have a Chromecast to test on, so I cannot recommend a method of disabling OTAs. However, from looking at the system image, there are a few possibilities I see. THE FOLLOWING METHODS ARE UNTESTED AND ARE NOT GUARANTEED TO WORK OR LEAVE YOUR CHROMECAST IN A WORKING STATE. PERFORM THEM AT YOUR OWN RISK.

After telnetting into your rooted Chromecast or otherwise obtaining a root shell, you can try these two possible methods
  1. Rename otacerts.zip to otacerts.zip.bak in /system/etc/security/. This may remove the OTA signing keys and cause the Chromecast to reject any OTAs. However, I do not know whether this file is actually used or whether is simply a remnant from Chromecast's Android base.
  2. Replace /chrome/update_engine with an empty, executable, shell script (make sure to make a backup copy first). I am very unsure of this method, since it is simply going off the name of the update_engine binary. If update_engine happens to perform some task core to the system, doing this will leave your device in an unusable state. If this happens, simply re-rooting using GTVHacker's USB image should restore your system to how it was.

Again, I am not responsible for any bricked Chromecasts which may result from attempting this. If you do try either method, please report whether or not it appeared to work or have any ill effects.
 
Last edited:

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
802
1,534
Minnesota
Thanks for this, just checked my unit, which is still on the old version. Am waiting for my cable to get here so I can root it, so glad I caught it before it updated!
 

joshw0000

Senior Member
Jun 15, 2010
3,984
403
Looks like the update will be automatic and my Chromecast is plugged up at home (connected to wifi). Hope it doesn't get pushed today. My powered USB OTG cable hasn't arrived yet so I can't even root it ATM.

Sent from my GT-N5110 using Xparent Green Tapatalk 2
 

paperWastage

Senior Member
Mar 18, 2009
1,000
496
NJ
Looks like the update will be automatic and my Chromecast is plugged up at home (connected to wifi). Hope it doesn't get pushed today. My powered USB OTG cable hasn't arrived yet so I can't even root it ATM.

Sent from my GT-N5110 using Xparent Green Tapatalk 2


find out the server name/ip for the OTA update, block it on your router
 

supernova_00

Senior Member
Feb 1, 2012
360
62
Aberdeen, MD

tvall

Senior Member
Oct 10, 2010
2,228
792
26
Springfield
also, i'd assume replacing /boot/recovery.img with a custom recovery or just removing it would also prevent updates. not sure though, I also don't have a chromecast.

also, if you are feeling adventurous, try this: http://db.tt/Ja1XBNgH. if it works, you'll have the latest software, root, and no updated bootloader. if it doesn't work, you might be able to recover by using gtvhacker's image. no promises though, since I don't own a chromecast, I cant test it. Don't blame me if your chromecast quits working, explodes, kills your puppy, or hands north korea some working nukes.

@xuser your signature made me think there was an actual bug on my screen. I tried to kill it, but it ignored my attempts and kept crawling around under the glass
 
Last edited:
  • Like
Reactions: jlc9761 and SOHKis

Louer Adun

Senior Member
Jan 19, 2010
121
9
Wouldn't it be possible to flash build 12072 back onto the device (since it is signed by Google), and then root it using that build? That is a fairly common practice for many devices that have exploits in early releases. Is there a copy of the image for build 12072 floating around yet?
 

joshw0000

Senior Member
Jun 15, 2010
3,984
403
It's possible. But it seems like more and more manufacturers are preventing downgrading. Who actually manufacturers this thing?

Sent from my SCH-I545 using Xparent Green Tapatalk 2
 

tvall

Senior Member
Oct 10, 2010
2,228
792
26
Springfield
the chromecast seems to have a recovery mode (like android) that flashes update zips (like android). so if we found a google signed update for the original firmware that includes flashing the insecure bootloader, then downgrades are possible. but the update zips posted above include a build date check,which means you have to either modify your build.prop (requires root, which is what we are trying to accomplish) or modify the update zip (which will make it no longer google signed and valid, so it would need a custom recovery. which requires root). so, unless google lets us, downgrading is not possible.

I'm still hoping that google built in a dev-mode, like their chrome os devices.
 

Louer Adun

Senior Member
Jan 19, 2010
121
9
I'm guessing that it would still be on the old build (assuming you get it shipped soon, or pick it up at Best Buy). My Chromecast sticks still haven't updated to the latest build.
 

Louer Adun

Senior Member
Jan 19, 2010
121
9
I'm curious if you had your Chromecast powered off during the day today. And if so, did you see it update when you turned it on?

I have been using my Chromecast to stream music all day, and so far it hasn't updated to the latest build. I would assume as long as the Chromecast is off or in use casting then the update will not be performed.
 

drunknbass

Member
Nov 12, 2009
49
4
Los Angeles
I'm curious if you had your Chromecast powered off during the day today. And if so, did you see it update when you turned it on?

I have been using my Chromecast to stream music all day, and so far it hasn't updated to the latest build. I would assume as long as the Chromecast is off or in use casting then the update will not be performed.

I've turned it off a few times but it finally updated ~30 min ago.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    Update

    Since this thread seems to have become quite popular, I thought I'd update it to give people all the newest information in one place.

    Since I've made this post, there has been another OTA (build 12940) that improves bootloader security even further and prevents some potential root methods which were being developed for 12840. As of now, neither build 12840, build 12940, nor build 13300 has a published root method. New units have the patched bootloader preloaded from the factory and are not rootable. If you buy a unit at this point, there is a good chance that you will get one that is patched. (EDIT 2013-10-22: People are reporting that units they have purchased from Best Buy and Amazon are still running the vulnerable build. It is unclear if this is simply old stock or if there are still vulnerable units being produced.)

    As for the methods described below, they cannot be performed through a shell (i.e. telnet) since the root filesystem is formatted as squashfs, which is read-only. Instead, the root images must be manually repacked for each OTA and flashed using a USB drive with an image such as FlashCast. @ddggttff3 maintains a FlashCast mod to update Chromecasts to the latest firmware without losing root, which can be found here.

    For those of you who have managed to keep your vulnerable bootloaders, keep your eyes out. There should be some very cool releases in the near future.

    Original post

    As can be seen in this commit to Google's Chromecast source mirror, firmware version 1.1 adds a check for the result of image verification on line 755. This check will cause GTVHacker's USB image to fail to boot, and you will not be able to obtain root. Even if another root exploit is found, it seems very unlikely that it will be as clean or simple as the one which exists now, which simply uses version 0.7's unlocked bootloader to flash a new system image.

    Unfortunately, I don't have a Chromecast to test on, so I cannot recommend a method of disabling OTAs. However, from looking at the system image, there are a few possibilities I see. THE FOLLOWING METHODS ARE UNTESTED AND ARE NOT GUARANTEED TO WORK OR LEAVE YOUR CHROMECAST IN A WORKING STATE. PERFORM THEM AT YOUR OWN RISK.

    After telnetting into your rooted Chromecast or otherwise obtaining a root shell, you can try these two possible methods
    1. Rename otacerts.zip to otacerts.zip.bak in /system/etc/security/. This may remove the OTA signing keys and cause the Chromecast to reject any OTAs. However, I do not know whether this file is actually used or whether is simply a remnant from Chromecast's Android base.
    2. Replace /chrome/update_engine with an empty, executable, shell script (make sure to make a backup copy first). I am very unsure of this method, since it is simply going off the name of the update_engine binary. If update_engine happens to perform some task core to the system, doing this will leave your device in an unusable state. If this happens, simply re-rooting using GTVHacker's USB image should restore your system to how it was.

    Again, I am not responsible for any bricked Chromecasts which may result from attempting this. If you do try either method, please report whether or not it appeared to work or have any ill effects.
    7
    Remember my bricked chromecast? I found a way to force it to load from USB. This involves opening the device, and jumping 2 pins at a select time, and UART but check the following boot log:

    http://pastebin.com/xHScat0T

    I don't know if this would allow circumventing the locked bootloader , but it might be a recovery option for people with bricks.

    EDIT: No longer have a bricked chromecast! :) Will post details in a bit for those who may be interested, or for future reference.

    EDIT2: Thread Here: http://forum.xda-developers.com/showthread.php?t=2438715
    6
    In the interim, is this still an effective way to keep it from updating? I unplugged mine this morning before I went to work and I'm heading home. Just trying to figure out a way to still be able to use it without it updating.

    Just checked again, it still trys to download an OTA.zip file so best thing is to either not use it, or keep an eye on it :/

    i'll go ahead and upload the image thats lacking update_engine

    later i'll upload a build with a modified recovery image. fiancee is missing me. I've spent too much time on this for now.

    ---------- Post added at 08:45 PM ---------- Previous post was at 08:11 PM ----------

    https://dl.dropboxusercontent.com/u/19978192/gtvhacker-chromecast.bin.gz

    this has update_engine replaced by a dummy script. this should kill ota updates, but it might not. again, provided as-is, no warranty, your problem if it breaks, yada yada.

    I'll work on this crap more tomorrow.
    4
    Thanks. That would be great. I managed to decompress the kernel but still couldn't find the RAM disk with your script. I also managed to compile the chromecast kernel from source. I may keep plugging away at figuring this out until you are able to get to it yourself.

    Well if you compiled it yourself, you are nearly there. Quick overview of what we had to do:

    /arch/arm/mach-mv88de3100/mv88de31xx_android.c , start setting partitions to RW in there, also disable any of the recovery boot options, and you may want to alter the command line in there (if not, arch/arm/kernel/setup.c)

    When you build (what I did) was set CONFIG_INITRAMFS / CONFIG_INITRAMFS_SOURCE for your ramdisk, and pull the stock kernel ramdisk, and do some mods to it. Then point the INITRAMFS_SOURCE to where you modified the kernel ramdisk.

    Hopefully that will help some, still been meaning to push our modded kernel source, but haven't had the time.
    4
    Someone get me a copy of the new update, and ill make a rooted image.

    We need to find a bootloader exploit

    Sent from my Evo V 4G using Tapatalk 2