[RELEASE] Chromecast with Google TV Bootloader Unlock

[BigEmpty]

Using stock 12 vendor, system won't boot at all

Teetz patched 12 vendor, system boots fine, drminfo app reports L1 same as working device would, but no drm video of any kind will play

 

[npjohnson]

Using stock 12 vendor, system won't boot at all

Teetz patched 12 vendor, system boots fine, drminfo app reports L1 same as working device would, but no drm video of any kind will play

Sad. So we finally hit the teetz incompatibility day.

But it boots which is nice. Mind Google driving that package and I'll mirror/put in OP?

If not I can do it next week.

 

[bloxycola]

right after i posted i went to explore and saw the dumps. i noticed there was some userdebug builds early on.. pretty cool.. are these all official firmwares?

and yes makes sense.. its easier to fibd a zero day exploit these days then to waste time trying to get the hardware infused private keys :-/

Yes it’s official frimware

 

[BigEmpty]

Yes it’s official frimware

Do you have a complete zip of one of those old userdebug builds? The stuff on tadiphone is missing stuff, like the recovery image. I don't care that the bootloader is too old to be run or that the avb keys are different.

 

[npjohnson]

Do you have a complete zip of one of those old userdebug builds? The stuff on tadiphone is missing stuff, like the recovery image. I don't care that the bootloader is too old to be run or that the avb keys are different.

No, those were dumped randomly, and I'm not sure of their original source.

I've wondered this myself.

 

[bloxycola]

Do you have a complete zip of one of those old userdebug builds? The stuff on tadiphone is missing stuff, like the recovery image. I don't care that the bootloader is too old to be run or that the avb keys are different.

Yes, I downloaded from XDA and Reddit tomorrow I will upload them.
Search up on XDA Lineage OS for the Google Sabrina in that thread you should find stock ROMS.

 

[GroundControl2MT]

Hi, so I've figured out that my ccwgtv is getting in to fastboot and I had a udev issue. I was able to get the unlock and repair scripts to work. The repair script ran and I reflash the stock with modded setup wizzard. When booting after the repair script, it is still stuck on the 'G' logo. I ran the unlock script, and that worked and booted the modded setup wizzard, however it still atempts to download and update my device. It downloads the update, reboots the device but it is not able to update. The modded setup wizzard still tries to update the system. Any ideas why or anything I can do to bypass this?

 

[bloxycola]

Hi, so I've figured out that my ccwgtv is getting in to fastboot and I had a udev issue. I was able to get the unlock and repair scripts to work. The repair script ran and I reflash the stock with modded setup wizzard. When booting after the repair script, it is still stuck on the 'G' logo. I ran the unlock script, and that worked and booted the modded setup wizzard, however it still atempts to download and update my device. It downloads the update, reboots the device but it is not able to update. The modded setup wizzard still tries to update the system. Any ideas why or anything I can do to bypass this?

What Android version?

 

[GroundControl2MT]

What Android version?

sabrina-qts1.210311.036-7814738-factory, or the one provided by the unlock script

 

[bloxycola]

Do you have a complete zip of one of those old userdebug builds? The stuff on tadiphone is missing stuff, like the recovery image. I don't care that the bootloader is too old to be run or that the avb keys are different.

 

[bloxycola]

Do you have a complete zip of one of those old userdebug builds? The stuff on tadiphone is missing stuff, like the recovery image. I don't care that the bootloader is too old to be run or that the avb keys are different.

 

[BigEmpty]

Why did you twice quote those two old posts? I've given up looking for a userdebug version of recovery for sabrina. I'm not using the device anymore.

 

[bloxycola]

Why did you twice quote those two old posts? I've given up looking for a userdebug version of recovery for sabrina. I'm not using the device anymore.

I sened that post over a month ago.
I dont know why it just appeared.

 

[bloxycola]

gotcha.. so not what I was looking for lol.. seems they somehow dumped them from the device maybe then uploaded to gitlab.. i was looking for more official ota zips that can be flashed in stock recovery.. cant use fastboot while device is locked.

I got mine to reboot into recovery mode, Fastboot, and bootloader mode. Any chance I can downgrade?

 

[bloxycola]

Introduction:

This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

Disclaimer:

You are solely responsible for any potential damage(s) caused to your device by this exploit.

FAQ:

- Does unlocking the bootloader void my warranty on this device?
Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

- Does unlocking the bootloader break DRM in any way?
Nope, just like unlocking a Pixel device officially.

- Can I OTA afterwards?
NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

- Can I use stock?
Yes, but only if you flashed the newer patched factory image offered up in the script.

- Can I go back to stock after installing custom OS's?
Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

- Can I re-lock the bootloader?
If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

- I've run the exploit 10 times and it isn't working yet!
Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

Requirements:

• Chromecast With Google TV (sabrina) without USB password mitigation¹
• Either a USB A to C, or a C to C cable
• A PC running some flavor of 64-bit GNU Linux
• `libusb-dev` installed
• `fastboot` & `mke2fs` installed from the SDK Platform tools

¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

Instructions:

Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

Post-unlock:

• The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
• At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

Credits:

• Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
• Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
• Frederic Basse (frederic): The initial exploit and the AES key tip

Special Thanks:

• Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
• Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
• Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
• XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.

Is there anyway I can perform surgery on the CCwGTV to replace that blown efuse.

 

[npjohnson]

Is there anyway I can perform surgery on the CCwGTV to replace that blown efuse.

No lol they're microscopic and on the actual CPU.

 

[bloxycola]

No lol they're microscopic and on the actual CPU.

I got a microscope for soldering

 

[npjohnson]

I got a microscope for soldering

Lol, I do too - what I'm saying is - you'd need a full internal X-Ray of the SoC, you'd need to have someone that knows how physical fuse mapping relates to fuse labels/address spaces, you'd need to scrap the CPU down in just the right area (we're talking milimeters), then you'd be able to potentially _see_ them but you cannot replace them - these are too small to solder, we're talking 1/1000'th the size of the CPU itself, likely smaller.

 

[bloxycola]

No lol they're microscopic and on the actual CPU.

Replace the CPU?

 

[npjohnson]

Replace the CPU?

Have fun with that - but sure, maybe - You'd need to replace the EMMC with one with an older bootloader too to prevent blowing the fuse again on first boot.

It just makes no sense price wise - even if you could.