[RELEASE] Chromecast with Google TV 4K (sabrina) Bootloader Unlock

Search This thread
By:
Advanced…
npjohnson

npjohnson

Recognized Developer
May 3, 2014
5,773
6,120
Orlando, FL
Verizon Samsung Galaxy S4
Nexus 7 (2013)
dante_ov

dante_ov

Member
Jun 14, 2021
23
6
Is there anyone from Europe here who is interested in buying exploitable CCwGTV?
 
Last edited:
R

retyre

Senior Member
Jan 14, 2011
311
322
Central FL
A new update for sabrina (QTS1.220504.008) showed up a few days ago. If you're dying to update safely (i.e., without losing the unlock), PM me and I will send you the update to test-flash.
 
npjohnson

npjohnson

Recognized Developer
May 3, 2014
5,773
6,120
Orlando, FL
Verizon Samsung Galaxy S4
Nexus 7 (2013)
retyre said:
I have already "fixed" it to create a new super.img (and an accompanying boot.img) from the latest update -- with the required changes to vendor.img and without the bootloader image. Boots fine and retains the unlock.
Click to expand...
Click to collapse
Oh, you copied the .TA files over and all?

Was it a full OTA this time?

It was a delta last time which was a pain in the ass lol
 
D

Deleted member 11959327

Guest
When I installed a uart header in one of my sabrinas last year, I used this image from the unlock writeup as reference for the serial connections:

probes.jpg


and installed the uart header thusly:

sabrina-uart_01.jpg


Today I was booting ubuntu on sabrina and trying to interrupt uboot (fred has bootdelay set at non-zero value). I couldn't interrupt uboot.

It turns out that I had RX connected to the wrong location. It actually is here:

sabrina-uart_02.jpg


The correct tx/rx locations also correspond to these locations on the edge connector:

sabrina-uart_03.jpg


Please excuse this post if this info has been mentioned previously.
 
You must log in or register to reply here.

Similar threads

npjohnson
  • Locked
[OFFICIAL/UNOFFICIAL] LineageOS 19.1 for Amlogic G12*/SM1 Family Devices
Replies
2K
Views
272K
karandpr
karandpr
T
Walmart ONN Google TV
Replies
229
Views
38K
D
dany0808
npjohnson
  • Locked
[OFFICIAL/UNOFFICIAL] LineageOS 20 for Amlogic GXL/GXM/G12*/SM1/NE Family Devices
Replies
887
Views
86K
jackeagle
jackeagle
B
[Guides] 2023 Walmart ONN Google TV (4K YOC)
Replies
175
Views
25K
AnyDroid
AnyDroid
ichyb3ll
Google TV file manager problem!!
Replies
62
Views
29K
o_chiemi
o_chiemi

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 19
    npjohnson
    npjohnson
    Introduction:

    This is an exploit chain intended to allow one to run a custom OS/unsigned code on the Chromecast with Google TV (CCwGTV) 4K (sabrina).

    This uses a bootROM bug in the SoC by security researcher Frederic Basse (frederic).

    Frederic also did a great amount of work to temporarily boot a custom OS from USB here.

    Security researchers Jan Altensen (Stricted) and Nolen Johnson (npjohnson) took the vulnerability and provided tools and customized a u-boot image to take advantage of the provided secure-execution environment to fully bootloader unlock the device.

    Disclaimer:

    You are solely responsible for any potential damage(s) caused to your device by this exploit.

    FAQ:

    - Does unlocking the bootloader void my warranty on this device?
    Probably, assume so. Or just flash stock and lock your bootloader before RMA. The exploit itself leaves no traces.

    - Does unlocking the bootloader break DRM in any way?
    Nope, just like unlocking a Pixel device officially.

    - Can I OTA afterwards?
    NO - It will re-lock your bootloader, and if you've made any modifications, OTA updates will brick you pretty hard. If you manage to do this, re-running the exploit won't be possible either, as a BootROM password is set on any update newer than February 2022.

    - Can I use stock?
    Yes, but only if you flashed the newer patched factory image offered up in the script.

    - Can I go back to stock after installing custom OS's?
    Yeah, totally, here's a "Factory Image" I made in the style of Pixel Factory Images. The patch level of this build is 2021-08-05. The tool offers to put you on a newer firmware, it's highly recommended to do so.

    - Can I re-lock the bootloader?
    If you flashed the factory image above, sure, but you run the risk of not being able to unlock again.

    - I've run the exploit 10 times and it isn't working yet!
    Swap USB ports/cables, and keep trying, for some people it takes one attempt, for some it takes a lot of attempts.

    Requirements:
    • Chromecast With Google TV (sabrina) without USB password mitigation¹
    • Either a USB A to C, or a C to C cable
    • A PC running some flavor of 64-bit GNU Linux
    • `libusb-dev` installed
    • `fastboot` & `mke2fs` installed from the SDK Platform tools
    ¹: The USB password mitigation has been enabled on units manufactured in December 2020 and after. For units manufactured before, the mitigation was enabled by software update in February 2021. To discern this, look at the MFP date on the bar-code sticker on the bottom of your device's box. If you've powered it on and OTA'd, your firmware version needs to be below the February 2021 patch level. It's not possible to disable/change the password since it's burnt into the chip (efuses).

    Instructions:

    Follow the detailed and up-to-date instructions over at our Github repo, and maybe give the writeup a read/share on social media!

    Post-unlock:
    • The script asks if you want to flash LineageOS Recovery, or a Magisk patched boot image, so enjoy those!
    • At the moment, there are no ROMs for the device, but Android builds in the form of LineageOS are coming soon™. Builds of that will be posted in this forum once ready, and I'll link them here.

    Credits:
    • Nolen Johnson (npjohnson): The writeup, helping debug/develop/theorize the unlock method
    • Jan Altensen (Stricted): The initial concept, u-boot side unlock implementation, debugging/developing the unlock method, and being a wealth of information when it comes to Amlogic devices
    • Frederic Basse (frederic): The initial exploit and the AES key tip
    Special Thanks:
    • Ryan Grachek (oscardagrach): Being an awesome mentor, teaching me a fair chunk of what I know about hardware security, and being a massive wealth of knowledge about most random things.
    • Chris Dibona: Being an awesome advocate of OSS software and helping ensure that we got all the source-code pertinent to the device.
    • Pierre-Hugues Husson (phh): For pointing me down the Amlogic road to begin with by letting me know Google had decided to make the ADT-3 bootloader unlockable.
    • XDA users @p0werpl & @JJ2017, who both helped experiment and find a combination of images that allowed us to skip the forced OTA in SUW.
    View
    3
    Logix
    Logix
    wow im glad i left mine unplugged
    View
    3
    npjohnson
    npjohnson
    Hey y'all - Unofficial download portal is back up.

    Unlock and factory image flash scripts should work now.

    It may be hit and miss tomorrow as I rewire everything, but everything /should/ be functional for now.

    Thanks!
    View
    3
    npjohnson
    npjohnson
    Hey all, I am moving and therefore some of the links in the OP may be down for a few days. Likely Wednesday, Friday at the worst.

    Don’t panic when the script can't fetch the firmwares/images it needs. It is planned outage.

    Thanks, see you on the other side!
    View
    3
    npjohnson
    npjohnson

    Nolen J. on LinkedIn: #security #vulnerability #vrp #cve #google #securityresearch

    Just released a full secure-boot exploit chain...
    www.linkedin.com www.linkedin.com



    The boreal exploits are live!

    Massive callouts to @Functioner and @Stricted for working together with me on this chain!
    View

New posts