[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread


Recognized Developer
I have been able to rw the dynamic partitions, edit them, and repack, but I haven't been able to merge an incremental ota into a full image. Can you share this python script if you don't mind? Thank you.


New member
Jun 14, 2021
Is there anyone from Europe here who is interested in buying exploitable CCwGTV?
Last edited:


Senior Member
Jan 14, 2011
Central FL
A new update for sabrina (QTS1.220504.008) showed up a few days ago. If you're dying to update safely (i.e., without losing the unlock), PM me and I will send you the update to test-flash.


Recognized Developer
I have already "fixed" it to create a new super.img (and an accompanying boot.img) from the latest update -- with the required changes to vendor.img and without the bootloader image. Boots fine and retains the unlock.
Oh, you copied the .TA files over and all?

Was it a full OTA this time?

It was a delta last time which was a pain in the ass lol

Deleted member 11959327

When I installed a uart header in one of my sabrinas last year, I used this image from the unlock writeup as reference for the serial connections:


and installed the uart header thusly:


Today I was booting ubuntu on sabrina and trying to interrupt uboot (fred has bootdelay set at non-zero value). I couldn't interrupt uboot.

It turns out that I had RX connected to the wrong location. It actually is here:


The correct tx/rx locations also correspond to these locations on the edge connector:


Please excuse this post if this info has been mentioned previously.

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Have fun with that - but sure, maybe - You'd need to replace the EMMC with one with an older bootloader too to prevent blowing the fuse again on first boot.

    It just makes no sense price wise - even if you could.
    I think I'm better off finding one in eBay, that was manufactured before that date plus having a older version of the OS.
    Although thank you for the info.
  • 16

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.


    You are solely responsible for any potential damage(s) caused to your device by this exploit.


    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).


    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    wow im glad i left mine unplugged
    Alright, here you go:

    Opening it up, this seems to be a partial OTA that takes the device from QTS1.210311.008 to QTS1.210311.036.
    Perfect. Thx. Will aim to look this weekend.
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    Thanks OP - script worked a treat on an (unused) unit, MFG: 07/2020.
    Any advice on blocking / disabling the OTA updates? Can't see any instructions searching around (and not much use it until that hurdle cleared!)