[RELEASE] Chromecast with Google TV Bootloader Unlock

Search This thread

npjohnson

Recognized Developer
I have a friend with a Sabrina dongle. Completely unmodified, and running a pixel 2 xl, also completely unmodified. She's been having crazy trouble with casting and remote control for a few months. I honestly think that this stuff is pretty weakly implemented and unreliable.

Personally, I don't use cast OR remote, since I've decided to degoogle myself completely. GrapheneOS on Pixel 6 Pro is very nice. Best just to install your software on the TV dongle and be done with it. I also have a couple of ADT-3's that are supposed to be delivered today (although its a pretty serious snow storm here today, so might have to wait a bit longer) to replace my Sabrina dongles, since they're basically the same but unlocked from factory. Yes yes, no netcrax -- I don't like them anyway.

The big problem I see with this casting and remote stuff from gooble, is that they've decided to pull an apple and reinvent everything unnecessarily. There are standardized casting technologies that actually work reliably, and a phone can be programmed to be a USBHID device without needing to use undocumented network protocols to accomplish the exact same thing.
Where did you order ADT-3's? US store is out of stock.
 

96carboard

Senior Member
Jul 17, 2018
664
371
Tiny bit of information for anyone trying to flash the factory system images (or probably anything else) to an ADT-3... make sure that when you run flash-all.sh, you UNPLUG THE HDMI. I wasted about an hour trying to figure out why it stopped near the end and never finished. Unplug the HDMI and goes straight through on the first try.
 

Kalentia

Senior Member
Nov 14, 2014
50
7
I have a friend with a Sabrina dongle. Completely unmodified, and running a pixel 2 xl, also completely unmodified. She's been having crazy trouble with casting and remote control for a few months. I honestly think that this stuff is pretty weakly implemented and unreliable.

Personally, I don't use cast OR remote, since I've decided to degoogle myself completely. GrapheneOS on Pixel 6 Pro is very nice. Best just to install your software on the TV dongle and be done with it. I also have a couple of ADT-3's that are supposed to be delivered today (although its a pretty serious snow storm here today, so might have to wait a bit longer) to replace my Sabrina dongles, since they're basically the same but unlocked from factory. Yes yes, no netcrax -- I don't like them anyway.

The big problem I see with this casting and remote stuff from gooble, is that they've decided to pull an apple and reinvent everything unnecessarily. There are standardized casting technologies that actually work reliably, and a phone can be programmed to be a USBHID device without needing to use undocumented network protocols to accomplish the exact same thing.
Weirdly enough, my issues aren't with casting or remote control. I'm having issues just doing regular content playback from the apps on the Chromecast... Netflix says "This title is not available to watch instantly", and Prime/Hulu/etc give similar errors when attempting to play content. My media server and casting local files work fine, so I know it's not an issue with video playback at the core.
 

96carboard

Senior Member
Jul 17, 2018
664
371
Weirdly enough, my issues aren't with casting or remote control. I'm having issues just doing regular content playback from the apps on the Chromecast... Netflix says "This title is not available to watch instantly", and Prime/Hulu/etc give similar errors when attempting to play content. My media server and casting local files work fine, so I know it's not an issue with video playback at the core.

Well, nettards basically treat their customers like criminals, which really gets in the way of things working correctly. This is the main reason I don't buy their crappy service. Why pay somebody to treat you like a criminal? This is especially since the only point of paying for their service is so you DON'T feel like a criminal by finding the content for free on the internet.
 

Kalentia

Senior Member
Nov 14, 2014
50
7
Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.
 
  • Like
Reactions: kennkanniff

goapy

Senior Member
Dec 30, 2021
114
23
The explanation on github about this exploit mentions "flags that disable update mode" and "the config that forces it (burn mode)".

For a device that does not use secureboot, are these flags/config changeable in a normal non-secure environment? Or, can they only be changed via execution before the run_preboot_environment_command, as with this exploit?

I'm trying to enable v2 usbburning mode (update in the uboot menu) on a device that does not have it enabled, but does not use secureboot.
 

npjohnson

Recognized Developer
The explanation on github about this exploit mentions "flags that disable update mode" and "the config that forces it (burn mode)".

For a device that does not use secureboot, are these flags/config changeable in a normal non-secure environment? Or, can they only be changed via execution before the run_preboot_environment_command, as with this exploit?

I'm trying to enable v2 usbburning mode (update in the uboot menu) on a device that does not have it enabled, but does not use secureboot.
check the u-boot source linked in the exploit, it shows both of those flags being re-enabled.
 

rezendes

New member
Jun 23, 2010
1
0
Can anyone confirm if this enables the software locked USB 3 speeds of the SoC for the Chromecast with Google TV?
 

kennkanniff

Senior Member
May 6, 2013
173
278
Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.
I also have the same problem on two devices. Prime and ATV+ do not work. Casting works fine.
 

kennkanniff

Senior Member
May 6, 2013
173
278
After rerunning the script I bricked a device. It does not boot to fasboot but is stuck at androidtv logo.

EDIT: I bricked another, this one is stuck at G logo. In both cases I flashed lineage-19.1-20220421-recovery-sabrina.img just before running the script. It is stuck at:
Code:
Creating filesystem with 4096 4k blocks and 4096 inodes

Allocating group tables: done                        
Writing inode tables: done                        
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Sending 'metadata' (44 KB)                         OKAY [  0.006s]
Writing 'metadata'                                 OKAY [  0.005s]
Finished. Total time: 0.640s
Rebooting into fastboot                            OKAY [  0.000s]
< waiting for any device >
EDIT2: Is there any hope?
 
Last edited:

npjohnson

Recognized Developer
After rerunning the script I bricked a device. It does not boot to fasboot but is stuck at androidtv logo.

EDIT: I bricked another, this one is stuck at G logo. In both cases I flashed lineage-19.1-20220421-recovery-sabrina.img just before running the script. It is stuck at:
Code:
Creating filesystem with 4096 4k blocks and 4096 inodes

Allocating group tables: done                       
Writing inode tables: done                       
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Sending 'metadata' (44 KB)                         OKAY [  0.006s]
Writing 'metadata'                                 OKAY [  0.005s]
Finished. Total time: 0.640s
Rebooting into fastboot                            OKAY [  0.000s]
< waiting for any device >
EDIT2: Is there any hope?
not bricked, hold button to get into burn, run exploit, chose to flash functional image in script.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2020-06-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    2
    wow im glad i left mine unplugged
    2
    I've updated the g12 thread to support sabrina - the beta LineageOS builds for it are live!

    If you want to come back from them, just re-run unlock.sh and select to flash the factory image.
    2
    Thanks OP - script worked a treat on an (unused) unit, MFG: 07/2020.
    Any advice on blocking / disabling the OTA updates? Can't see any instructions searching around (and not much use it until that hurdle cleared!)
    1
    Alright, I've gone through the process of factory resetting and reflashing the Chromecast using the script (but without the Magisk boot image this time). Still facing the same issues, I've eliminated the idea that it could be a local network issue by connecting to a hotspot and the problem persists. I wonder if it's a DRM issue, given that Google couldn't "authenticate" the Chromecast upon setup and I had to set it up with the TV instead of my phone. Or maybe it's related to the fact that the TV I'm using only supports SDR... if anyone has suggestions please let me know.