[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread

grave35

New member
Oct 21, 2012
3
3
A new update has been released QTS1.210311.036. Sabrina tries to download it all the time. How do I avoid accidental updates? Which combination of images will get rid of the update notification? Zip Ota QTS1.210311.036
 

yan2xme

Senior Member
Jun 8, 2018
104
16
omg... seems like the ccwgtv is much overall trickier to exploit but has easily realeased an LOS port for this device. Unlucky for me I am really late at this fiasco and I would not be able to find stocks of this manufactured before Dec, 2020 cause I'm in Asia. And I'm still a newbie bout this and I'm afraid can't proceed with this cause this requires executing this with delicate procedures with dumping all these delicate files...
which In me I might easily brick my device, idk should I still upgrade to this from being an Amazon Fire TV 4k unlocked bl use (which is still crap on how limited the FireOS is and not a single custom ROM is released to this device, doesn't have systemwide uvc and USB Dac support or option to route audio into usb without using 3rd party apps) still i love the hard work you hath done... clap clap clap
 

npjohnson

Recognized Developer
omg... seems like the ccwgtv is much overall trickier to exploit but has easily realeased an LOS port for this device. Unlucky for me I am really late at this fiasco and I would not be able to find stocks of this manufactured before Dec, 2020 cause I'm in Asia. And I'm still a newbie bout this and I'm afraid can't proceed with this cause this requires executing this with delicate procedures with dumping all these delicate files...
which In me I might easily brick my device, idk should I still upgrade to this from being an Amazon Fire TV 4k unlocked bl use (which is still crap on how limited the FireOS is and not a single custom ROM is released to this device, doesn't have systemwide uvc and USB Dac support or option to route audio into usb without using 3rd party apps) still i love the hard work you hath done... clap clap clap
your risk of bricking in running this exploit is nearly null. Feel free to run it on any firmware version, but newer ones will just say "Password protected, won't work".

And thanks!
 
  • Love
Reactions: yan2xme

yan2xme

Senior Member
Jun 8, 2018
104
16
your risk of bricking in running this exploit is nearly null. Feel free to run it on any firmware version, but newer ones will just say "Password protected, won't work".

And thanks!
and If I exploited an exploitable device, can I still install right away Google TV without those OTA's that burn the efuses? or I can just install LOS to not get OTA? Is there a way to block them?
 

npjohnson

Recognized Developer
and If I exploited an exploitable device, can I still install right away Google TV without those OTA's that burn the efuses? or I can just install LOS to not get OTA? Is there a way to block them?
After the exploit you are booted to bootloader and can directly install LineageOS. You don't need to reboot to OS and take the OTA's.
 

bydo

Member
Jan 3, 2012
22
1
Found another old June 2020 device. Would like to keep this one on stock google android image but block OTA updates so I can try Lineage in the future. I presume the script needs to be updated to use parts of current qts1.210311.036 instead of qts1.210311.008 to prevent the initial activation/setup process from force updating to qts1.210311.036? Anyone try this yet?
 

npjohnson

Recognized Developer
Found another old June 2020 device. Would like to keep this one on stock google android image but block OTA updates so I can try Lineage in the future. I presume the script needs to be updated to use parts of current qts1.210311.036 instead of qts1.210311.008 to prevent the initial activation/setup process from force updating to qts1.210311.036? Anyone try this yet?
Link me the images for the newer firmware and I'll do it :)
Is the GCTV GSI support?
Yup. They work fine, so long as they're small enough.
 

bydo

Member
Jan 3, 2012
22
1
Link me the images for the newer firmware and I'll do it :)

The file that was linked a few posts earlier won't work? Looks like some sort of patch or partial image based on the 150 MB file size:

A new update has been released QTS1.210311.036. Sabrina tries to download it all the time. How do I avoid accidental updates? Which combination of images will get rid of the update notification? Zip Ota QTS1.210311.036
 

Kalentia

Senior Member
Nov 14, 2014
50
7
I've started having issues with playback in most major streaming apps on my Chromecast in the past few months. Any chance this is related to the new update being released but not installed?
 

Kalentia

Senior Member
Nov 14, 2014
50
7
I guess that's reassuring, maybe it's the fact that I've rooted the device. I'll keep troubleshooting!
 

96carboard

Senior Member
Jul 17, 2018
664
371
I guess that's reassuring, maybe it's the fact that I've rooted the device. I'll keep troubleshooting!

I have a friend with a Sabrina dongle. Completely unmodified, and running a pixel 2 xl, also completely unmodified. She's been having crazy trouble with casting and remote control for a few months. I honestly think that this stuff is pretty weakly implemented and unreliable.

Personally, I don't use cast OR remote, since I've decided to degoogle myself completely. GrapheneOS on Pixel 6 Pro is very nice. Best just to install your software on the TV dongle and be done with it. I also have a couple of ADT-3's that are supposed to be delivered today (although its a pretty serious snow storm here today, so might have to wait a bit longer) to replace my Sabrina dongles, since they're basically the same but unlocked from factory. Yes yes, no netcrax -- I don't like them anyway.

The big problem I see with this casting and remote stuff from gooble, is that they've decided to pull an apple and reinvent everything unnecessarily. There are standardized casting technologies that actually work reliably, and a phone can be programmed to be a USBHID device without needing to use undocumented network protocols to accomplish the exact same thing.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2020-06-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    2
    wow im glad i left mine unplugged
    2
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    2
    Thanks OP - script worked a treat on an (unused) unit, MFG: 07/2020.
    Any advice on blocking / disabling the OTA updates? Can't see any instructions searching around (and not much use it until that hurdle cleared!)
    1
    Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.