Introduction:
This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).
This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).
Frederic also did a great amount of work to temporarily boot a custom OS from USB here.
Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.
Disclaimer:
You are solely responsible for any potential damage(s) caused to your device by this exploit.
FAQ:
- Does unlocking the bootloader void my warranty on this device?
Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.
- Does unlocking the bootloader break DRM in any way?
Nope, just like unlocking a Pixel device officially.
- Can I OTA afterwards?
NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than
- Can I use stock?
Yes, but only if you flashed the newer patched factory image offered up in the script.
- Can I go back to stock after installing custom OS's?
Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.
- Can I re-lock the bootloader?
If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.
- I've run the exploit 10 times and it isn't working yet!
Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.
Requirements:
Instructions:
Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!
Post-unlock:
Credits:
This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).
This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).
Frederic also did a great amount of work to temporarily boot a custom OS from USB here.
Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.
Disclaimer:
You are solely responsible for any potential damage(s) caused to your device by this exploit.
FAQ:
- Does unlocking the bootloader void my warranty on this device?
Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.
- Does unlocking the bootloader break DRM in any way?
Nope, just like unlocking a Pixel device officially.
- Can I OTA afterwards?
NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than
- Can I use stock?
Yes, but only if you flashed the newer patched factory image offered up in the script.
- Can I go back to stock after installing custom OS's?
Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.
- Can I re-lock the bootloader?
If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.
- I've run the exploit 10 times and it isn't working yet!
Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.
Requirements:
- Chromecast With Google TV (sabrina) without USB password mitigation¹
- Either a USB A to C, or a C to C cable
- A PC running some flavor of 64-bit GNU Linux
- `libusb-dev` installed
- `fastboot` & `mke2fs` installed from the SDK Platform tools
Instructions:
Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!
Post-unlock:
- The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
- At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.
Credits:
- Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
- Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
- Frederic Basse (frederic): The initial exploit and the AES key tip
- Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
- Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
- Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
- XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
Last edited: