[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread
By:
Advanced…
B

bloxycola

Senior Member
Nov 11, 2022
54
4
Google Nexus 5
Nexus 6
npjohnson said:
Have fun with that - but sure, maybe - You'd need to replace the EMMC with one with an older bootloader too to prevent blowing the fuse again on first boot.

It just makes no sense price wise - even if you could.
Click to expand...
Click to collapse
I think I'm better off finding one in eBay, that was manufactured before that date plus having a older version of the OS.
Although thank you for the info.
 
  • Like
Reactions: npjohnson
S

supermansaga

Senior Member
Mar 12, 2011
182
26
We need to root this thing in order to use Movies Anywhere app in unsupported countries. It appears the app doesn't reject VPN outright like Vudu does, but it relies on your device's location.
 
You must log in or register to reply here.

Similar threads

N
  • Locked
[OFFICIAL/UNOFFICIAL] LineageOS 19.1 for Amlogic G12*/SM1 Family Devices
Replies
2K
Views
233K
karandpr
karandpr
M
How To install Google TV Launcher on Android 9 TV
Replies
19
Views
18K
m12v345
m12v345
ichyb3ll
Google TV file manager problem!!
Replies
49
Views
13K
W
Waicol
JasW
Can't enable Developer Mode on new Chromecast with Google TV
Replies
2
Views
8K
D
DonChino
N
[OFFICIAL/UNOFFICIAL] LineageOS 20 for Amlogic GXL/GXM/G12*/SM1 Family Devices
Replies
324
Views
28K
A
apropper

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 1
    onion4
    onion4
    Hi, has there been any progress with unlocking the FHD version of this chromecast? (boreal)
    View
  • 17
    N
    npjohnson
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    View
    3
    Logix
    Logix
    wow im glad i left mine unplugged
    View
    2
    N
    npjohnson
    ubergeek77 said:
    Alright, here you go:


    Opening it up, this seems to be a partial OTA that takes the device from QTS1.210311.008 to QTS1.210311.036.
    Click to expand...
    Click to collapse
    Perfect. Thx. Will aim to look this weekend.
    View
    2
    N
    npjohnson
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    View
    2
    JJ2017
    JJ2017
    Thanks OP - script worked a treat on an (unused) unit, MFG: 07/2020.
    Any advice on blocking / disabling the OTA updates? Can't see any instructions searching around (and not much use it until that hurdle cleared!)
    View

New posts