The script inside the zip (flash-all.sh) looks for dtb.img instead of dt.img, not the unlock and repair scripts.
[RELEASE] Chromecast with Google TV Bootloader Unlock
- Thread starter npjohnson
- Start date
I have been able to rw the dynamic partitions, edit them, and repack, but I haven't been able to merge an incremental ota into a full image. Can you share this python script if you don't mind? Thank you.
GitHub - erfanoabdi/imgpatchtools: Patch img files with system.patch.dat, like OTA zip on PC
Patch img files with system.patch.dat, like OTA zip on PC - GitHub - erfanoabdi/imgpatchtools: Patch img files with system.patch.dat, like OTA zip on PC
github.com
A new update for sabrina (QTS1.220504.008) showed up a few days ago. If you're dying to update safely (i.e., without losing the unlock), PM me and I will send you the update to test-flash.
I have already "fixed" it to create a new super.img (and an accompanying boot.img) from the latest update -- with the required changes to vendor.img and without the bootloader image. Boots fine and retains the unlock.
Oh, you copied the .TA files over and all?
Was it a full OTA this time?
It was a delta last time which was a pain in the ass lol
Yes to the *.ta files. No, incremental again. You're on the money about the PITA part.
Ugh.
Alright.
If you already did it mind sharing it here? I'll test it then link in the thread.
Here. Contains only the updated partitions. If the super.img does not work, let me know and I'll upload the dynamic partitions separately.
D
Deleted member 11959327
Guest
When I installed a uart header in one of my sabrinas last year, I used this image from the unlock writeup as reference for the serial connections:
and installed the uart header thusly:
Today I was booting ubuntu on sabrina and trying to interrupt uboot (fred has bootdelay set at non-zero value). I couldn't interrupt uboot.
It turns out that I had RX connected to the wrong location. It actually is here:
The correct tx/rx locations also correspond to these locations on the edge connector:
Please excuse this post if this info has been mentioned previously.
and installed the uart header thusly:
Today I was booting ubuntu on sabrina and trying to interrupt uboot (fred has bootdelay set at non-zero value). I couldn't interrupt uboot.
It turns out that I had RX connected to the wrong location. It actually is here:
The correct tx/rx locations also correspond to these locations on the edge connector:
Please excuse this post if this info has been mentioned previously.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
1
I think I'm better off finding one in eBay, that was manufactured before that date plus having a older version of the OS.
Although thank you for the info. -
16Introduction:
This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).
This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).
Frederic also did a great amount of work to temporarily boot a custom OS from USB here.
Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.
Disclaimer:
You are solely responsible for any potential damage(s) caused to your device by this exploit.
FAQ:
- Does unlocking the bootloader void my warranty on this device?
Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.
- Does unlocking the bootloader break DRM in any way?
Nope, just like unlocking a Pixel device officially.
- Can I OTA afterwards?
NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than
- Can I use stock?
Yes, but only if you flashed the newer patched factory image offered up in the script.
- Can I go back to stock after installing custom OS's?
Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.
- Can I re-lock the bootloader?
If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.
- I've run the exploit 10 times and it isn't working yet!
Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.
Requirements:
- Chromecast With Google TV (sabrina) without USB password mitigation¹
- Either a USB A to C, or a C to C cable
- A PC running some flavor of 64-bit GNU Linux
- `libusb-dev` installed
- `fastboot` & `mke2fs` installed from the SDK Platform tools
Instructions:
Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!
Post-unlock:
- The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
- At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.
Credits:
- Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
- Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
- Frederic Basse (frederic): The initial exploit and the AES key tip
- Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
- Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
- Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
- XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
22I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!
If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
