[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread

npjohnson

Recognized Developer
I have a friend with a Sabrina dongle. Completely unmodified, and running a pixel 2 xl, also completely unmodified. She's been having crazy trouble with casting and remote control for a few months. I honestly think that this stuff is pretty weakly implemented and unreliable.

Personally, I don't use cast OR remote, since I've decided to degoogle myself completely. GrapheneOS on Pixel 6 Pro is very nice. Best just to install your software on the TV dongle and be done with it. I also have a couple of ADT-3's that are supposed to be delivered today (although its a pretty serious snow storm here today, so might have to wait a bit longer) to replace my Sabrina dongles, since they're basically the same but unlocked from factory. Yes yes, no netcrax -- I don't like them anyway.

The big problem I see with this casting and remote stuff from gooble, is that they've decided to pull an apple and reinvent everything unnecessarily. There are standardized casting technologies that actually work reliably, and a phone can be programmed to be a USBHID device without needing to use undocumented network protocols to accomplish the exact same thing.
Where did you order ADT-3's? US store is out of stock.
 

96carboard

Senior Member
Jul 17, 2018
1,034
626
Tiny bit of information for anyone trying to flash the factory system images (or probably anything else) to an ADT-3... make sure that when you run flash-all.sh, you UNPLUG THE HDMI. I wasted about an hour trying to figure out why it stopped near the end and never finished. Unplug the HDMI and goes straight through on the first try.
 

Kalentia

Senior Member
Nov 14, 2014
51
7
I have a friend with a Sabrina dongle. Completely unmodified, and running a pixel 2 xl, also completely unmodified. She's been having crazy trouble with casting and remote control for a few months. I honestly think that this stuff is pretty weakly implemented and unreliable.

Personally, I don't use cast OR remote, since I've decided to degoogle myself completely. GrapheneOS on Pixel 6 Pro is very nice. Best just to install your software on the TV dongle and be done with it. I also have a couple of ADT-3's that are supposed to be delivered today (although its a pretty serious snow storm here today, so might have to wait a bit longer) to replace my Sabrina dongles, since they're basically the same but unlocked from factory. Yes yes, no netcrax -- I don't like them anyway.

The big problem I see with this casting and remote stuff from gooble, is that they've decided to pull an apple and reinvent everything unnecessarily. There are standardized casting technologies that actually work reliably, and a phone can be programmed to be a USBHID device without needing to use undocumented network protocols to accomplish the exact same thing.
Weirdly enough, my issues aren't with casting or remote control. I'm having issues just doing regular content playback from the apps on the Chromecast... Netflix says "This title is not available to watch instantly", and Prime/Hulu/etc give similar errors when attempting to play content. My media server and casting local files work fine, so I know it's not an issue with video playback at the core.
 

96carboard

Senior Member
Jul 17, 2018
1,034
626
Weirdly enough, my issues aren't with casting or remote control. I'm having issues just doing regular content playback from the apps on the Chromecast... Netflix says "This title is not available to watch instantly", and Prime/Hulu/etc give similar errors when attempting to play content. My media server and casting local files work fine, so I know it's not an issue with video playback at the core.

Well, nettards basically treat their customers like criminals, which really gets in the way of things working correctly. This is the main reason I don't buy their crappy service. Why pay somebody to treat you like a criminal? This is especially since the only point of paying for their service is so you DON'T feel like a criminal by finding the content for free on the internet.
 

Kalentia

Senior Member
Nov 14, 2014
51
7
Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.
 
  • Like
Reactions: kennkanniff
D

Deleted member 11959327

Guest
The explanation on github about this exploit mentions "flags that disable update mode" and "the config that forces it (burn mode)".

For a device that does not use secureboot, are these flags/config changeable in a normal non-secure environment? Or, can they only be changed via execution before the run_preboot_environment_command, as with this exploit?

I'm trying to enable v2 usbburning mode (update in the uboot menu) on a device that does not have it enabled, but does not use secureboot.
 

npjohnson

Recognized Developer
The explanation on github about this exploit mentions "flags that disable update mode" and "the config that forces it (burn mode)".

For a device that does not use secureboot, are these flags/config changeable in a normal non-secure environment? Or, can they only be changed via execution before the run_preboot_environment_command, as with this exploit?

I'm trying to enable v2 usbburning mode (update in the uboot menu) on a device that does not have it enabled, but does not use secureboot.
check the u-boot source linked in the exploit, it shows both of those flags being re-enabled.
 

rezendes

New member
Jun 23, 2010
1
0
Can anyone confirm if this enables the software locked USB 3 speeds of the SoC for the Chromecast with Google TV?
 

kennkanniff

Senior Member
May 6, 2013
184
281
Nexus 7 (2013)
Moto X 2014
Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.
I also have the same problem on two devices. Prime and ATV+ do not work. Casting works fine.
 

kennkanniff

Senior Member
May 6, 2013
184
281
Nexus 7 (2013)
Moto X 2014
After rerunning the script I bricked a device. It does not boot to fasboot but is stuck at androidtv logo.

EDIT: I bricked another, this one is stuck at G logo. In both cases I flashed lineage-19.1-20220421-recovery-sabrina.img just before running the script. It is stuck at:
Code:
Creating filesystem with 4096 4k blocks and 4096 inodes

Allocating group tables: done                        
Writing inode tables: done                        
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Sending 'metadata' (44 KB)                         OKAY [  0.006s]
Writing 'metadata'                                 OKAY [  0.005s]
Finished. Total time: 0.640s
Rebooting into fastboot                            OKAY [  0.000s]
< waiting for any device >
EDIT2: Is there any hope?
 
Last edited:

npjohnson

Recognized Developer
After rerunning the script I bricked a device. It does not boot to fasboot but is stuck at androidtv logo.

EDIT: I bricked another, this one is stuck at G logo. In both cases I flashed lineage-19.1-20220421-recovery-sabrina.img just before running the script. It is stuck at:
Code:
Creating filesystem with 4096 4k blocks and 4096 inodes

Allocating group tables: done                       
Writing inode tables: done                       
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Sending 'metadata' (44 KB)                         OKAY [  0.006s]
Writing 'metadata'                                 OKAY [  0.005s]
Finished. Total time: 0.640s
Rebooting into fastboot                            OKAY [  0.000s]
< waiting for any device >
EDIT2: Is there any hope?
not bricked, hold button to get into burn, run exploit, chose to flash functional image in script.
 

p0werpl

Senior Member
Aug 30, 2021
69
8
Can someone upload the super.img of QTS1.210311.036.7814738 from a device that has updated to that version? The only link available is an incremental update. Thank you.
 

ubergeek77

Senior Member
Oct 30, 2015
243
82
I went through this process today, but SetupWizard still tries to do a system update before letting me get to anything. There's probably already an official update newer than the one the script automatically installs. I cut the internet connection before it could finish the system update, but I'm pretty much stuck until I can figure out how to bypass that. At the moment I cannot enable OEM unlocking or ADB, since I have no way to get to the Settings app.

Since I'm on sabrina and the included LineageOS 19.1 recovery image isn't working, I flashed the 18.1 recovery image and it works fine. Although, it's a bit annoying to get into recovery mode, since I have to re-run the exploit every time just to get into fastboot and then boot to recovery, since I can't actually access the setting to enable ADB (is there a button combo or something to get into the Lineage recovery without attempting a factory reset every time? That would be nice).

I can access an ADB shell from the Lineage 18.1 recovery, but I'm hesitant to install Lineage 18.1 without properly unlocking the bootloader first (fastboot oem unlock fails), which I can't do without access to the Settings app.

Since I have root shell access from recovery, can I just disable SetupWizard from there, or enable ADB from there so I can spawn the Settings activity manually?
 

npjohnson

Recognized Developer
I went through this process today, but SetupWizard still tries to do a system update before letting me get to anything. There's probably already an official update newer than the one the script automatically installs. I cut the internet connection before it could finish the system update, but I'm pretty much stuck until I can figure out how to bypass that. At the moment I cannot enable OEM unlocking or ADB, since I have no way to get to the Settings app.

Since I'm on sabrina and the included LineageOS 19.1 recovery image isn't working, I flashed the 18.1 recovery image and it works fine. Although, it's a bit annoying to get into recovery mode, since I have to re-run the exploit every time just to get into fastboot and then boot to recovery, since I can't actually access the setting to enable ADB (is there a button combo or something to get into the Lineage recovery without attempting a factory reset every time? That would be nice).

I can access an ADB shell from the Lineage 18.1 recovery, but I'm hesitant to install Lineage 18.1 without properly unlocking the bootloader first (fastboot oem unlock fails), which I can't do without access to the Settings app.

Since I have root shell access from recovery, can I just disable SetupWizard from there, or enable ADB from there so I can spawn the Settings activity manually?
The exploit _unlocks_ your boot loader lol - if you ran it once you're unlocked.
 

ubergeek77

Senior Member
Oct 30, 2015
243
82
The exploit _unlocks_ your boot loader lol - if you ran it once you're unlocked.
Gotcha. I figured, but I wasn't 100% sure since the first instruction on the Lineage page is to run the unlock command.

Well, time to install Lineage 18.1. No other option at the moment 😬 Nevermind, I just hacked my way through forcing stock to skip the setup wizard.
 
Last edited:

ubergeek77

Senior Member
Oct 30, 2015
243
82
Can someone else confirm that on stock DISNEY+ is limited to HD, netflix/amazon prime isn't playing at all?
My chromecast is not rooted, just bootloader unlocked
I don't use Disney+, but Netflix and Amazon Prime Video aren't working on stock for me. Netflix and Netflix TV won't open at all (error ui-800-3 307006). Amazon Prime works "fine" until you actually start to play something, then it says "something went wrong."

I disabled the stock launcher entirely, and I've seen at least a few people mentioning that might be related to Netflix not working (can't imagine why though). But I've got no clue what's wrong with Prime Video.

I do have Magisk installed, and I tried adding both apps to Zygisk's denylist, as well as installing the Universal SafetyNet Fix. Still can't get either apps working.

Does anyone else here have either of these apps working? Any details on what your setup looks like would be great (stock launcher or not, Magisk installed or not, app sideloaded or installed from Google Play, etc).
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Hi, has there been any progress with unlocking the FHD version of this chromecast? (boreal)
  • 17
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    3
    wow im glad i left mine unplugged
    2
    Alright, here you go:


    Opening it up, this seems to be a partial OTA that takes the device from QTS1.210311.008 to QTS1.210311.036.
    Perfect. Thx. Will aim to look this weekend.
    2
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    2
    Thanks OP - script worked a treat on an (unused) unit, MFG: 07/2020.
    Any advice on blocking / disabling the OTA updates? Can't see any instructions searching around (and not much use it until that hurdle cleared!)