• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread

npjohnson

Recognized Developer
Magisk-patched boot.img boots fine.
Unpack this https://android.googleapis.com/packages/ota-api/package/1e09bc180c7183461e21cf31f1347dd6ad1410c4.zip, and follow the lineageos wiki guide to unpack it. then unpack super.img using the WIP instructions here https://review.lineageos.org/c/LineageOS/lineage_wiki/+/313040 and then flash system, vendor, product, dtbo, and boot.

See if that's enough to sidestep the OTA. Just don't flash bootloader.img
 

p0werpl

Member
Aug 30, 2021
47
3
Unpack this https://android.googleapis.com/packages/ota-api/package/1e09bc180c7183461e21cf31f1347dd6ad1410c4.zip, and follow the lineageos wiki guide to unpack it. then unpack super.img using the WIP instructions here https://review.lineageos.org/c/LineageOS/lineage_wiki/+/313040 and then flash system, vendor, product, dtbo, and boot.

See if that's enough to sidestep the OTA. Just don't flash bootloader.img
I let the device check for and download the system update. The downloaded update.zip in /cache was incremental (same as the one you linked above). Is there no full update?
 

p0werpl

Member
Aug 30, 2021
47
3
the one I linked isn't incremental though? Should be a full image.
Yes, that looks like a full image.

super.img has four images: odm.img, product.img, system.img, vendor.img. I have to repack all four into super.img?

What's the (relatively) safer way to flash: fastboot or dd in lineage recovery?
 

npjohnson

Recognized Developer
Yes, that looks like a full image.

super.img has four images: odm.img, product.img, system.img, vendor.img. I have to repack all four into super.img?

What's the (relatively) safer way to flash: fastboot or dd in lineage recovery?
no, unlock bootloader, flash lineage recovery, then fastboot flash each partition.

Or I mean, you can just boot to bootloader and flash super.img as a whole. That would probably work as well. You need to do boot and dtbo as well tho
 

p0werpl

Member
Aug 30, 2021
47
3
no, unlock bootloader, flash lineage recovery, then fastboot flash each partition.

Or I mean, you can just boot to bootloader and flash super.img as a whole. That would probably work as well. You need to do boot and dtbo as well tho
There are other raw images in the zip (dt, logo, vbmeta). You wrote earlier about disabling verity with a vbmeta.img. Is that needed?
 

p0werpl

Member
Aug 30, 2021
47
3
flash dtb, dtbo, boot, product, vendor, system, and this vbmeta (disabled) https://androidfilehost.com/?fid=2188818919693795292
I don't think the individual partitions in super can be flashed. fastboot reported a resizing error. The individual partitions (odm, product, vendor, system) have to be repacked into a flashable super.img.

I haven't been able to find a way to do that. There are numerous posts on unpacking super.img, but nothing reliable (that I have been able to find) about repacking it.
 

npjohnson

Recognized Developer
I don't think the individual partitions in super can be flashed. fastboot reported a resizing error. The individual partitions (odm, product, vendor, system) have to be repacked into a flashable super.img.

I haven't been able to find a way to do that. There are numerous posts on unpacking super.img, but nothing reliable (that I have been able to find) about repacking it.
you can't flash them from fastboot, but you can from fastbootd, which the exploit boots you into.
 

p0werpl

Member
Aug 30, 2021
47
3
what all did you flash?
boot, dtbo, system, vendor, product, vbmeta

I flashed back the originals (from June 2020) and was able to boot back up again.

You did not mention odm. It's part of /super. Should that be flashed as well?

As long as I do not flash bootloader.img, everything else will result in a recoverable and exploitable device. Correct?
 

npjohnson

Recognized Developer
boot, dtbo, system, vendor, product, vbmeta

I flashed back the originals (from June 2020) and was able to boot back up again.

You did not mention odm. It's part of /super. Should that be flashed as well?

As long as I do not flash bootloader.img, everything else will result in a recoverable and exploitable device. Correct?
pretty much, yes, avoid flashing tee, and bootloader and you're fine.
 

npjohnson

Recognized Developer
boot, dtbo, system, vendor, product, vbmeta

I flashed back the originals (from June 2020) and was able to boot back up again.

You did not mention odm. It's part of /super. Should that be flashed as well?

As long as I do not flash bootloader.img, everything else will result in a recoverable and exploitable device. Correct?
As an important additional note, you can flash everything in fastbootd except DTB which you _will_ need to flash. To flash dtbo you need to reboot to bootloader, not fastbootd.
 

JJ2017

Senior Member
Jan 7, 2017
66
40
Huawei P20 Pro
Following this progress with interest:
When I try to flash product (or system) I'm getting:

>fastboot flash product product.img
target reported max download size of 536870912 bytes
Invalid sparse file format at header magic
sending sparse 'product' 1/2 (523956 KB)...
OKAY [ 20.366s]
writing 'product' 1/2...
OKAY [ 10.326s]
sending sparse 'product' 2/2 (89356 KB)...
OKAY [ 3.501s]
writing 'product' 2/2...
FAILED (remote: Operation not permitted)
finished. total time: 35.216s
=====================================
Also, in the file shared by @npjohnson #63 above - when unpacked there's dt.img - I assume that's dtb?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2020-06-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    2
    wow im glad i left mine unplugged
    2
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    2
    Thanks OP - script worked a treat on an (unused) unit, MFG: 07/2020.
    Any advice on blocking / disabling the OTA updates? Can't see any instructions searching around (and not much use it until that hurdle cleared!)
    1
    I understand, but I was pointing out that there are alternatives.
    And it is less than the price of trying to buy one on Ebay for an original 2019 GTV.
    Some people are here to learn something new.

    There is nothing wrong with the information that I posted.

    Yes, I have 2 GTVs, and would like to be able to root them. That is why I have read this whole thread and following it.

    The spoon feeding in the G12 thread makes for a long read......

    Edit: Never installed LinageOS on any of my devices. I do not need it. Root and I can handle the rest.
    if u want alternatives nothing compares to 2019 nstv pro