• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[ROOT] HubCap Chromecast Root Release!

Search This thread

Team-Eureka

Senior Member
Dec 30, 2013
105
318
www.team-eureka.com
Dear XDA Users,

We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).

Requirements


Instructions

  1. Install the appropriate Teensy Root Package on your device.
    • If New In Box device, use 12940 otherwise use 16664.
    • Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
  2. Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
  3. Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
    • The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
  4. Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
    • If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
  5. After about 5 minutes, the Chromecast should reboot and your device should now be rooted!

Having Problems?

  • “I am using a USB hub with a OTG cable, why is it not working?”
    • This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
  • “How can I tell if the root is running?”
    • If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.

Created By

@fail0verflow
@gtvhacker
@Dev_Team_Eureka

Shoutouts

Google Inc. - Thanks for the awesome device, now add fastboot support
XDA-Developers - For being the home of Chromecast Development

Download

Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip


Source:
GitHub: https://github.com/axoltl/HubCap
 
Last edited:

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
856
Meridian, ID
www.PeterSouza.com
Brilliant -- working through the steps now!

One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list. :D

UPDATE: worked like a charm!
rooted.jpg


The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around. ;)

Thanks again for all your work, guys!
 
Last edited:

FusionX

Senior Member
Nov 15, 2008
669
158
NY
Awesome, thanks! Downloading now and will update!

Edit: flawless victory! Rooted 2 CC, one new in box and the other on latest firmware. Great work! Can't wait to see the source to understand how the exploit took place.
 
Last edited:

Asphyx

Senior Member
Dec 19, 2007
2,145
373
Yea! I have a rooted CCast....

Just a note for Windows users who use win32mage....the flashcast image doesn't show using the browse because it's a BIN not an IMG file...
Just remove the file filter to *.* to see the proper image to burn to the USB Jump Drive.
 

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
856
Meridian, ID
www.PeterSouza.com
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?
 

FusionX

Senior Member
Nov 15, 2008
669
158
NY
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?

Not sure but one of the ones I just rooted was 37*** that was on the latest ota.

I used the 16664 with a 2++

Sent from my 831C using Tapatalk
 
  • Like
Reactions: frome901

ddggttff3

Inactive Recognized Developer
Dec 13, 2009
802
1,534
Minnesota
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?

The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
 

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
856
Meridian, ID
www.PeterSouza.com
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.

Thanks!
 

Asphyx

Senior Member
Dec 19, 2007
2,145
373
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.

It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?

I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.

Thoughts?

I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
 

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
856
Meridian, ID
www.PeterSouza.com
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA

This is already resolved (posted above): I had forgotten to hit the button a second time for the flash drive payload.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 113
    Dear XDA Users,

    We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).

    Requirements


    Instructions

    1. Install the appropriate Teensy Root Package on your device.
      • If New In Box device, use 12940 otherwise use 16664.
      • Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
    2. Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
    3. Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
      • The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
    4. Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
      • If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
    5. After about 5 minutes, the Chromecast should reboot and your device should now be rooted!

    Having Problems?

    • “I am using a USB hub with a OTG cable, why is it not working?”
      • This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
    • “How can I tell if the root is running?”
      • If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.

    Created By

    @fail0verflow
    @gtvhacker
    @Dev_Team_Eureka

    Shoutouts

    Google Inc. - Thanks for the awesome device, now add fastboot support
    XDA-Developers - For being the home of Chromecast Development

    Download

    Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
    Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip


    Source:
    GitHub: https://github.com/axoltl/HubCap
    10
    HEADS UP: Seems that google HAS PATCHED the HubCap exploit in the latest OTA (19084), but did not post the source for it (to keep us guessing?). Please avoid this OTA if you want root!
    9
    8
    I am running 17977 firmware. The micro is verified as a usb hub and has been flashed with the correct file.

    So you're past step 2:
    1. Get all the needed hardware (compatible board & USB OTG cable with power).
    2. Get it flashed correctly with the right version hex file.
    3. Get the Chromecast to load the exploit payload.
    4. Load Eureka to the Chromecast from your flash drive.

    Here's a hex file compiled for the Leonardo/Micro, firmware >= 16664. Give this a try. It shouldn't magically make things work, but it should let you know that you've got the timing right for step 3. The only tricky part I noted was getting the timing right on when to release the CC button. Too early, and it goes to blinking white. For me, what worked was releasing it just after the CC turned red, but it took a few minutes of trial & error.
    7
    Brilliant -- working through the steps now!

    One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list. :D

    UPDATE: worked like a charm!
    rooted.jpg


    The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around. ;)

    Thanks again for all your work, guys!