[RELEASE] Chromecast with Google TV Bootloader Unlock

[npjohnson]

I have a friend with a Sabrina dongle. Completely unmodified, and running a pixel 2 xl, also completely unmodified. She's been having crazy trouble with casting and remote control for a few months. I honestly think that this stuff is pretty weakly implemented and unreliable.

Personally, I don't use cast OR remote, since I've decided to degoogle myself completely. GrapheneOS on Pixel 6 Pro is very nice. Best just to install your software on the TV dongle and be done with it. I also have a couple of ADT-3's that are supposed to be delivered today (although its a pretty serious snow storm here today, so might have to wait a bit longer) to replace my Sabrina dongles, since they're basically the same but unlocked from factory. Yes yes, no netcrax -- I don't like them anyway.

The big problem I see with this casting and remote stuff from gooble, is that they've decided to pull an apple and reinvent everything unnecessarily. There are standardized casting technologies that actually work reliably, and a phone can be programmed to be a USBHID device without needing to use undocumented network protocols to accomplish the exact same thing.

Where did you order ADT-3's? US store is out of stock.

 

[Deleted member 11959327]

.

 

[96carboard]

Where did you order ADT-3's? US store is out of stock.

Right here: https://store.askey.com/adt-3.html

 

[96carboard]

Tiny bit of information for anyone trying to flash the factory system images (or probably anything else) to an ADT-3... make sure that when you run flash-all.sh, you UNPLUG THE HDMI. I wasted about an hour trying to figure out why it stopped near the end and never finished. Unplug the HDMI and goes straight through on the first try.

 

[Kalentia]

I have a friend with a Sabrina dongle. Completely unmodified, and running a pixel 2 xl, also completely unmodified. She's been having crazy trouble with casting and remote control for a few months. I honestly think that this stuff is pretty weakly implemented and unreliable.

Personally, I don't use cast OR remote, since I've decided to degoogle myself completely. GrapheneOS on Pixel 6 Pro is very nice. Best just to install your software on the TV dongle and be done with it. I also have a couple of ADT-3's that are supposed to be delivered today (although its a pretty serious snow storm here today, so might have to wait a bit longer) to replace my Sabrina dongles, since they're basically the same but unlocked from factory. Yes yes, no netcrax -- I don't like them anyway.

The big problem I see with this casting and remote stuff from gooble, is that they've decided to pull an apple and reinvent everything unnecessarily. There are standardized casting technologies that actually work reliably, and a phone can be programmed to be a USBHID device without needing to use undocumented network protocols to accomplish the exact same thing.

Weirdly enough, my issues aren't with casting or remote control. I'm having issues just doing regular content playback from the apps on the Chromecast... Netflix says "This title is not available to watch instantly", and Prime/Hulu/etc give similar errors when attempting to play content. My media server and casting local files work fine, so I know it's not an issue with video playback at the core.

 

[96carboard]

Weirdly enough, my issues aren't with casting or remote control. I'm having issues just doing regular content playback from the apps on the Chromecast... Netflix says "This title is not available to watch instantly", and Prime/Hulu/etc give similar errors when attempting to play content. My media server and casting local files work fine, so I know it's not an issue with video playback at the core.

Well, nettards basically treat their customers like criminals, which really gets in the way of things working correctly. This is the main reason I don't buy their crappy service. Why pay somebody to treat you like a criminal? This is especially since the only point of paying for their service is so you DON'T feel like a criminal by finding the content for free on the internet.

 

[Kalentia]

Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.

 

[Deleted member 11959327]

The explanation on github about this exploit mentions "flags that disable update mode" and "the config that forces it (burn mode)".

For a device that does not use secureboot, are these flags/config changeable in a normal non-secure environment? Or, can they only be changed via execution before the run_preboot_environment_command, as with this exploit?

I'm trying to enable v2 usbburning mode (update in the uboot menu) on a device that does not have it enabled, but does not use secureboot.

 

[npjohnson]

The explanation on github about this exploit mentions "flags that disable update mode" and "the config that forces it (burn mode)".

For a device that does not use secureboot, are these flags/config changeable in a normal non-secure environment? Or, can they only be changed via execution before the run_preboot_environment_command, as with this exploit?

I'm trying to enable v2 usbburning mode (update in the uboot menu) on a device that does not have it enabled, but does not use secureboot.

check the u-boot source linked in the exploit, it shows both of those flags being re-enabled.

 

[rezendes]

Can anyone confirm if this enables the software locked USB 3 speeds of the SoC for the Chromecast with Google TV?

 

[kennkanniff]

Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.

I also have the same problem on two devices. Prime and ATV+ do not work. Casting works fine.

 

[kennkanniff]

After rerunning the script I bricked a device. It does not boot to fasboot but is stuck at androidtv logo.

EDIT: I bricked another, this one is stuck at G logo. In both cases I flashed lineage-19.1-20220421-recovery-sabrina.img just before running the script. It is stuck at:

Creating filesystem with 4096 4k blocks and 4096 inodes

Allocating group tables: done                        
Writing inode tables: done                        
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Sending 'metadata' (44 KB)                         OKAY [  0.006s]
Writing 'metadata'                                 OKAY [  0.005s]
Finished. Total time: 0.640s
Rebooting into fastboot                            OKAY [  0.000s]
< waiting for any device >

EDIT2: Is there any hope?

 

[npjohnson]

After rerunning the script I bricked a device. It does not boot to fasboot but is stuck at androidtv logo.

EDIT: I bricked another, this one is stuck at G logo. In both cases I flashed lineage-19.1-20220421-recovery-sabrina.img just before running the script. It is stuck at:

Creating filesystem with 4096 4k blocks and 4096 inodes

Allocating group tables: done                       
Writing inode tables: done                       
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Sending 'metadata' (44 KB)                         OKAY [  0.006s]
Writing 'metadata'                                 OKAY [  0.005s]
Finished. Total time: 0.640s
Rebooting into fastboot                            OKAY [  0.000s]
< waiting for any device >

EDIT2: Is there any hope?

not bricked, hold button to get into burn, run exploit, chose to flash functional image in script.

 

[kennkanniff]

not bricked, hold button to get into burn, run exploit, chose to flash functional image in script.

They dont boot into fastboot after the exploit. They are stuck at boot logo.

 

[p0werpl]

Can someone upload the super.img of QTS1.210311.036.7814738 from a device that has updated to that version? The only link available is an incremental update. Thank you.

 

[kennkanniff]

Can someone upload the super.img of QTS1.210311.036.7814738 from a device that has updated to that version? The only link available is an incremental update. Thank you.

If you can guide me through it I can definitely help. I currently have two sabrinas on lineage 18.1. PM me.

 

[ubergeek77]

I went through this process today, but SetupWizard still tries to do a system update before letting me get to anything. There's probably already an official update newer than the one the script automatically installs. I cut the internet connection before it could finish the system update, but I'm pretty much stuck until I can figure out how to bypass that. At the moment I cannot enable OEM unlocking or ADB, since I have no way to get to the Settings app.

Since I'm on sabrina and the included LineageOS 19.1 recovery image isn't working, I flashed the 18.1 recovery image and it works fine. Although, it's a bit annoying to get into recovery mode, since I have to re-run the exploit every time just to get into fastboot and then boot to recovery, since I can't actually access the setting to enable ADB (is there a button combo or something to get into the Lineage recovery without attempting a factory reset every time? That would be nice).

I can access an ADB shell from the Lineage 18.1 recovery, but I'm hesitant to install Lineage 18.1 without properly unlocking the bootloader first (fastboot oem unlock fails), which I can't do without access to the Settings app.

Since I have root shell access from recovery, can I just disable SetupWizard from there, or enable ADB from there so I can spawn the Settings activity manually?

 

[npjohnson]

I went through this process today, but SetupWizard still tries to do a system update before letting me get to anything. There's probably already an official update newer than the one the script automatically installs. I cut the internet connection before it could finish the system update, but I'm pretty much stuck until I can figure out how to bypass that. At the moment I cannot enable OEM unlocking or ADB, since I have no way to get to the Settings app.

Since I'm on sabrina and the included LineageOS 19.1 recovery image isn't working, I flashed the 18.1 recovery image and it works fine. Although, it's a bit annoying to get into recovery mode, since I have to re-run the exploit every time just to get into fastboot and then boot to recovery, since I can't actually access the setting to enable ADB (is there a button combo or something to get into the Lineage recovery without attempting a factory reset every time? That would be nice).

I can access an ADB shell from the Lineage 18.1 recovery, but I'm hesitant to install Lineage 18.1 without properly unlocking the bootloader first (fastboot oem unlock fails), which I can't do without access to the Settings app.

Since I have root shell access from recovery, can I just disable SetupWizard from there, or enable ADB from there so I can spawn the Settings activity manually?

The exploit _unlocks_ your boot loader lol - if you ran it once you're unlocked.

 

[ubergeek77]

The exploit _unlocks_ your boot loader lol - if you ran it once you're unlocked.

Gotcha. I figured, but I wasn't 100% sure since the first instruction on the Lineage page is to run the unlock command.

Well, time to install Lineage 18.1. No other option at the moment Nevermind, I just hacked my way through forcing stock to skip the setup wizard.

 

[ubergeek77]

Can someone else confirm that on stock DISNEY+ is limited to HD, netflix/amazon prime isn't playing at all?
My chromecast is not rooted, just bootloader unlocked

I don't use Disney+, but Netflix and Amazon Prime Video aren't working on stock for me. Netflix and Netflix TV won't open at all (error ui-800-3 307006). Amazon Prime works "fine" until you actually start to play something, then it says "something went wrong."

I disabled the stock launcher entirely, and I've seen at least a few people mentioning that might be related to Netflix not working (can't imagine why though). But I've got no clue what's wrong with Prime Video.

I do have Magisk installed, and I tried adding both apps to Zygisk's denylist, as well as installing the Universal SafetyNet Fix. Still can't get either apps working.

Does anyone else here have either of these apps working? Any details on what your setup looks like would be great (stock launcher or not, Magisk installed or not, app sideloaded or installed from Google Play, etc).