[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread
By:
Advanced…
B

bloxycola

Senior Member
Nov 11, 2022
58
5
Samsung Galaxy S III I9300
Samsung Galaxy Tab 10.1
npjohnson said:
Have fun with that - but sure, maybe - You'd need to replace the EMMC with one with an older bootloader too to prevent blowing the fuse again on first boot.

It just makes no sense price wise - even if you could.
Click to expand...
Click to collapse
I think I'm better off finding one in eBay, that was manufactured before that date plus having a older version of the OS.
Although thank you for the info.
 
  • Like
Reactions: npjohnson
S

supermansaga

Senior Member
Mar 12, 2011
335
71
We need to root this thing in order to use Movies Anywhere app in unsupported countries. It appears the app doesn't reject VPN outright like Vudu does, but it relies on your device's location.
 
Functioner

Functioner

Senior Member
Jan 16, 2023
244
117
Have confirmed that all of the variables work the same in the last versions of the android 10 bootloaders and in the new android 12 bootloaders.
 
Last edited:
S

SiViS

Member
Jan 10, 2011
39
5
Thank you, npjohnson!
I've followed the script but now my device is in a bootloop. What can I do?
 
S

SiViS

Member
Jan 10, 2011
39
5
npjohnson said:
does it get to the bootlogo of stock? Or does it just hang at the splash screen?
Click to expand...
Click to collapse
It shows the G, hangs for a few seconds and then resets.

When I go through the unlock process again - it suceeds, and I can even see the lineageOS recovery. I tried flashing stock boot.img through it but it did not help.
 
dante_ov

dante_ov

Member
Jun 14, 2021
17
0
It's quite sad that @Functioner removed pinout post, it's annoying how many good stuff get removed these days.
And I don't think that sabrina is in her last days, there is still nothing from Google to replace it. Regardless, it's a solid streaming device and will be supported for a long time.
 
Functioner

Functioner

Senior Member
Jan 16, 2023
244
117
dante_ov said:
It's quite sad that @Functioner removed pinout post, it's annoying how many good stuff get removed these days.
And I don't think that sabrina is in her last days, there is still nothing from Google to replace it. Regardless, it's a solid streaming device and will be supported for a long time.
Click to expand...
Click to collapse

Feel free to repost any images you like.
 
Last edited:
S

sergiodbx

Member
Dec 13, 2021
6
3
Hello everyone. I have a pair of Chromecast Google TV with MFQ 08/2020. I could not find the update file from 02/2021 anywhere, after which a password is activated on the device that blocks the operation of the amlogic-usbdl exploit. And I had the idea to try to "catch" this update. I think that after connecting Sabrina to the power supply and the Internet, you can track the time when the 02/2021 update files are downloaded to it and turn off the power supply and the Internet before the update begins. Then remove the EMMC from the board and read the dump from it . Then, comparing the factory backup of sabrina and the backup copy after downloading the update, make a dump of update 02/2021 and try to find the password.bin value in it. Do you think it makes sense to try it? Maybe someone has already done it or tried? Maybe someone knows in which sections of EMMC the OTA update from Sabrina is recorded? Only in the cache section or partially in the data? What do you think about this idea ?
 
Last edited:
You must log in or register to reply here.

Similar threads

N
  • Locked
[OFFICIAL/UNOFFICIAL] LineageOS 19.1 for Amlogic G12*/SM1 Family Devices
Replies
2K
Views
250K
karandpr
karandpr
M
How To install Google TV Launcher on Android 9 TV
Replies
19
Views
20K
m12v345
m12v345
N
[OFFICIAL/UNOFFICIAL] LineageOS 20 for Amlogic GXL/GXM/G12*/SM1/NE Family Devices
Replies
552
Views
53K
F
_Fidor_
ichyb3ll
Google TV file manager problem!!
Replies
59
Views
20K
v4mpi
v4mpi
T
Walmart ONN Google TV
Replies
159
Views
16K
D
deskjet390

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 2
    N
    npjohnson
    Hey all, I am moving and therefore some of the links in the OP may be down for a few days. Likely Wednesday, Friday at the worst.

    Don’t panic when the script can't fetch the firmwares/images it needs. It is planned outage.

    Thanks, see you on the other side!
    View
    2
    N
    npjohnson
    Hey y'all - Unofficial download portal is back up.

    Unlock and factory image flash scripts should work now.

    It may be hit and miss tomorrow as I rewire everything, but everything /should/ be functional for now.

    Thanks!
    View
  • 17
    N
    npjohnson
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    View
    3
    Logix
    Logix
    wow im glad i left mine unplugged
    View
    2
    N
    npjohnson
    ubergeek77 said:
    Alright, here you go:


    Opening it up, this seems to be a partial OTA that takes the device from QTS1.210311.008 to QTS1.210311.036.
    Click to expand...
    Click to collapse
    Perfect. Thx. Will aim to look this weekend.
    View
    2
    N
    npjohnson
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    View
    2
    N
    npjohnson
    Hey y'all - Unofficial download portal is back up.

    Unlock and factory image flash scripts should work now.

    It may be hit and miss tomorrow as I rewire everything, but everything /should/ be functional for now.

    Thanks!
    View

New posts