• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread

p0werpl

Member
Aug 30, 2021
47
3
Following this progress with interest:
When I try to flash product (or system) I'm getting:

>fastboot flash product product.img
target reported max download size of 536870912 bytes
Invalid sparse file format at header magic
sending sparse 'product' 1/2 (523956 KB)...
OKAY [ 20.366s]
writing 'product' 1/2...
OKAY [ 10.326s]
sending sparse 'product' 2/2 (89356 KB)...
OKAY [ 3.501s]
writing 'product' 2/2...
FAILED (remote: Operation not permitted)
finished. total time: 35.216s
=====================================
Also, in the file shared by @npjohnson #63 above - when unpacked there's dt.img - I assume that's dtb?
No issues here.
$ fastboot flash product product.img
Invalid sparse file format at header magic
Resizing 'product' OKAY [ 0.005s]
Sending sparse 'product' 1/2 (523956 KB) OKAY [ 31.294s]
Writing 'product' OKAY [ 10.311s]
Sending sparse 'product' 2/2 (89356 KB) OKAY [ 5.547s]
Writing 'product' OKAY [ 2.173s]
Finished. Total time: 49.480s

Are you using an old fastboot binary?
 

npjohnson

Recognized Developer
Following this progress with interest:
When I try to flash product (or system) I'm getting:

>fastboot flash product product.img
target reported max download size of 536870912 bytes
Invalid sparse file format at header magic
sending sparse 'product' 1/2 (523956 KB)...
OKAY [ 20.366s]
writing 'product' 1/2...
OKAY [ 10.326s]
sending sparse 'product' 2/2 (89356 KB)...
OKAY [ 3.501s]
writing 'product' 2/2...
FAILED (remote: Operation not permitted)
finished. total time: 35.216s
=====================================
Also, in the file shared by @npjohnson #63 above - when unpacked there's dt.img - I assume that's dtb?
yes
 
  • Like
Reactions: JJ2017

npjohnson

Recognized Developer
Is it possible to wipe data and disable data encryption?

Where is SUW located? What if that partition's image can be mounted and SUW renamed?
If you repack the bootimage yeah you can disable it - or just use the forceencrypt disabler zips - this might work actually.

You can't remount the images or the block devices, both are forcibly RO.
 

p0werpl

Member
Aug 30, 2021
47
3
If you repack the bootimage yeah you can disable it - or just use the forceencrypt disabler zips - this might work actually.
Struck out once more. Sideloaded the zip (it had to be edited to remove the wait for volume-button presses) and it installed without any issues, but /data was encrypted on reboot.

At this point, this is just a war of attrition with google. How many of us are willing to hold on to a device that's pretty much a vegetable if it's not updated?
 

JJ2017

Senior Member
Jan 7, 2017
66
40
Huawei P20 Pro
@p0werpl & @npjohnson - I have some good news regarding the 'war of attrition' as I believe (with some trial and error) I've cracked it (with your guide, of course!)

Now because I only have limited experience in these matters I'll describe what I've done and let you decide how it worked:

- Following np's instructions yesterday I also ended stuck on fastboot 'G' logo so I re-did the unlock script and got back to June stock by flashing 'original' super.img at bootloader (along with the original partitions I had written over)
- Now device restored, so next , return to fastbootd, flash disabled Vbmeta and 'new' System partition (as described by np in post# 63 above) - try rebooting and get someway in boot-up before android error flags up.
- return to bootloader to re-flash 'new' dtb & dtbo img's - again boot-up attempts but get same 'corruption' error
- return to fastbootd flash 'new' odm.img - no change. However, returning to fastbootd to flash new product.img gets boot through to start-up screen : pair remote, connect to internet.... But something is buggy - no keyboard will come up to input data (and no option to sign-in using Home app)
- After lots of faffing and re-boots went to Recovery (via fastbootd menu) and did data wipe / cache -- this got me to normal start-up proecure - connect to intenet / google login / success!
- Enable ADB in Dev Options - install Magisk app - patch boot.img - THIS IS THE JUNE boot.img NOT the 'new' one - re-flash patched boot, restart / get root through ADB shell: PM disable "com.google.android.tungsten.setupwraith"

I assume that's what we need to disable OTA updates?- list of packages attached to check (please!)

Photo showing Android security patch level: 5th April '21 - but still able to run unlock script and access fastbootd.

I think sticking with the original boot.img was the critical step here / I also never flashed the 'new' Vendor partition (I don't know if that's relevant)
Hopefully someone can replicate what I've done? And potentially improve this method?!
What do people think?


 

Attachments

  • success.jpg
    success.jpg
    40.2 KB · Views: 26
  • Packages.txt
    3.4 KB · Views: 10

p0werpl

Member
Aug 30, 2021
47
3
@p0werpl & @npjohnson - I have some good news regarding the 'war of attrition' as I believe (with some trial and error) I've cracked it (with your guide, of course!)

Now because I only have limited experience in these matters I'll describe what I've done and let you decide how it worked:

- Following np's instructions yesterday I also ended stuck on fastboot 'G' logo so I re-did the unlock script and got back to June stock by flashing 'original' super.img at bootloader (along with the original partitions I had written over)
- Now device restored, so next , return to fastbootd, flash disabled Vbmeta and 'new' System partition (as described by np in post# 63 above) - try rebooting and get someway in boot-up before android error flags up.
- return to bootloader to re-flash 'new' dtb & dtbo img's - again boot-up attempts but get same 'corruption' error
- return to fastbootd flash 'new' odm.img - no change. However, returning to fastbootd to flash new product.img gets boot through to start-up screen : pair remote, connect to internet.... But something is buggy - no keyboard will come up to input data (and no option to sign-in using Home app)
- After lots of faffing and re-boots went to Recovery (via fastbootd menu) and did data wipe / cache -- this got me to normal start-up proecure - connect to intenet / google login / success!
- Enable ADB in Dev Options - install Magisk app - patch boot.img - THIS IS THE JUNE boot.img NOT the 'new' one - re-flash patched boot, restart / get root through ADB shell: PM disable "com.google.android.tungsten.setupwraith"

I assume that's what we need to disable OTA updates?- list of packages attached to check (please!)

Photo showing Android security patch level: 5th April '21 - but still able to run unlock script and access fastbootd.

I think sticking with the original boot.img was the critical step here / I also never flashed the 'new' Vendor partition (I don't know if that's relevant)
Hopefully someone can replicate what I've done? And potentially improve this method?!
What do people think?


Thank you. I can confirm it works! It's probably the new vendor partition that should not be flashed. In any case, I will make a backup of all the partitions with this working system.
 
Last edited:
  • Like
Reactions: JJ2017

npjohnson

Recognized Developer
Thank you. I can confirm it works! It's probably the new vendor partition that should not be flashed. In any case, I will make a backup of all the partitions with this working system.
can you come up with a concise process and I'll try it/package it up for others?

So just flash everything from that package I linked except vendor, wipe data, call it a day?
 

npjohnson

Recognized Developer
@p0werpl & @npjohnson - I have some good news regarding the 'war of attrition' as I believe (with some trial and error) I've cracked it (with your guide, of course!)

Now because I only have limited experience in these matters I'll describe what I've done and let you decide how it worked:

- Following np's instructions yesterday I also ended stuck on fastboot 'G' logo so I re-did the unlock script and got back to June stock by flashing 'original' super.img at bootloader (along with the original partitions I had written over)
- Now device restored, so next , return to fastbootd, flash disabled Vbmeta and 'new' System partition (as described by np in post# 63 above) - try rebooting and get someway in boot-up before android error flags up.
- return to bootloader to re-flash 'new' dtb & dtbo img's - again boot-up attempts but get same 'corruption' error
- return to fastbootd flash 'new' odm.img - no change. However, returning to fastbootd to flash new product.img gets boot through to start-up screen : pair remote, connect to internet.... But something is buggy - no keyboard will come up to input data (and no option to sign-in using Home app)
- After lots of faffing and re-boots went to Recovery (via fastbootd menu) and did data wipe / cache -- this got me to normal start-up proecure - connect to intenet / google login / success!
- Enable ADB in Dev Options - install Magisk app - patch boot.img - THIS IS THE JUNE boot.img NOT the 'new' one - re-flash patched boot, restart / get root through ADB shell: PM disable "com.google.android.tungsten.setupwraith"

I assume that's what we need to disable OTA updates?- list of packages attached to check (please!)

Photo showing Android security patch level: 5th April '21 - but still able to run unlock script and access fastbootd.

I think sticking with the original boot.img was the critical step here / I also never flashed the 'new' Vendor partition (I don't know if that's relevant)
Hopefully someone can replicate what I've done? And potentially improve this method?!
What do people think?



Yes. I flashed everything (including boot) except vendor. Did it work for you?
Thanks for your immense help and experimentation on this.

Added you to the Special Thanks on the thread and the GitHub repo.

The script now incorporates all of this and more!
 

bydo

Member
Jan 3, 2012
20
1
Great work everyone. So does that mean we can now take an unlocked device online to complete initial activation without fear of it getting relocked or updated? If so, I'll give this a shot and see if I can redeem the free Netflix offer that came bundled with my old device. Wonder how they know which devices are eligible for the offer and whether this information is preserved after the unlock script is run.
 

kennkanniff

Senior Member
May 6, 2013
150
277
Thanks everybody.

Initially I got this error which left me with an unbootable device:
Code:
/tmp/TemporaryFile-r1sI6B: Unimplemented ext2 library function while setting up superblock
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
mke2fs failed: 1
error: Cannot generate image for userdata

After updating android-tools to latest and reruning the exploit it works fine.
 
Last edited:
  • Like
Reactions: npjohnson

npjohnson

Recognized Developer
Great work everyone. So does that mean we can now take an unlocked device online to complete initial activation without fear of it getting relocked or updated? If so, I'll give this a shot and see if I can redeem the free Netflix offer that came bundled with my old device. Wonder how they know which devices are eligible for the offer and whether this information is preserved after the unlock script is run.
Yes you can, but only after running the exploit and flashing the recommended images the script throws at you.
 

npjohnson

Recognized Developer
Thanks everybody.

Initially I got this error which left me with an unbootable device:
Code:
/tmp/TemporaryFile-r1sI6B: Unimplemented ext2 library function while setting up superblock
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
mke2fs failed: 1
error: Cannot generate image for userdata

After updating android-tools to latest and reruning the exploit it works fine.
Yeah they split out mke2fs, you'll need that as well.
 

Kalentia

Member
Nov 14, 2014
46
6
For some reason, even after installing the patched Magisk image the app says that the installed state is N/A... should I manually patch the image from the factory .zip or have I missed something?
 

Kalentia

Member
Nov 14, 2014
46
6
I patched the image on my CCwGTV and got something with a different checksum, from what I can tell it looks like Magisk gathers device-specific info during the patching process so making a pre-patched image may not be possible. At least it works to do it manually!
 

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2020-06-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    2
    wow im glad i left mine unplugged
    2
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    2
    Thanks OP - script worked a treat on an (unused) unit, MFG: 07/2020.
    Any advice on blocking / disabling the OTA updates? Can't see any instructions searching around (and not much use it until that hurdle cleared!)
    1
    I understand, but I was pointing out that there are alternatives.
    And it is less than the price of trying to buy one on Ebay for an original 2019 GTV.
    Some people are here to learn something new.

    There is nothing wrong with the information that I posted.

    Yes, I have 2 GTVs, and would like to be able to root them. That is why I have read this whole thread and following it.

    The spoon feeding in the G12 thread makes for a long read......

    Edit: Never installed LinageOS on any of my devices. I do not need it. Root and I can handle the rest.
    if u want alternatives nothing compares to 2019 nstv pro