[ROOT] HubCap Chromecast Root Release!

Search This thread

bhiga

Inactive Recognized Contributor
Oct 13, 2010
2,501
1,017
So what are some things you can do with a rooted Chromecast?
Strange, I swear I replied to this, it must've got lost in the Ether(net).

See Root Mini-FAQ.
Mainly it's the ability to use custom whitelist or Team-Eureka whitelist, which probably isn't of much interest to non-developers, and the ability to specify DNS, which is a pretty big one if you're using a service to access content outside of your ISP's region.
 

Chatty

Senior Member
Apr 10, 2005
582
18
Hi. I have two new, never setup german CCs, build_version=17977, serial#=4117...
I flashed with the HubCap 16664 method and they got rooted.

Eventually I tried setting one up and tried NetFlix (only three red dots) and YouTube (worked shortly) - then it told me it needed to reboot for an update! :((( As I've feared it got updated to 27946. I know this can't be undone.

But how can I at least keep the other one from updating?
 

bhiga

Inactive Recognized Contributor
Oct 13, 2010
2,501
1,017
Hi. I have two new, never setup german CCs, build_version=17977, serial#=4117...
I flashed with the HubCap 16664 method and they got rooted.

Eventually I tried setting one up and tried NetFlix (only three red dots) and YouTube (worked shortly) - then it told me it needed to reboot for an update! :((( As I've feared it got updated to 27946. I know this can't be undone.

But how can I at least keep the other one from updating?

If you successfully rooted, you got the Eureka ROM update and should still be rooted. Check the web panel at http://addressOfYourChromecast

If it's there you still have root.

You cam turn off updates in the web panel.
 

Chatty

Senior Member
Apr 10, 2005
582
18
After the OTA update the web interface was lost and I also could not telnet to it. And the Chromecast app told me the new version.

I just tried to reflash FlashCast and now the Chromecast app luckily tells 17977 again. After a while it again told me it needs to reboot. I intercepted and tried to reflash again. Then the TeamEureka screen told me that my device is upgraded to the latest firmware. And indeed, version 27946. No web interface -wait, it's just not available under the given DNS name but under http://chromecast/ - phew. Ok, so OTAs are ok and the root is persistent.
 
  • Like
Reactions: bhiga

m4f1050

Senior Member
Apr 20, 2007
1,994
207
Is this still possible? I have 3 unrooted Chromecasts I would like to root. I went to the Teensy 2++ link but it shows 1 USB plug with a bunch of pins on the bottom, how exactly do you use this thing?

Thanks!

EDIT: NVM, you program the Teensy, then then Teensy programs the CC, correct? :) Also, my CC's have SN#'s other than 3C, does that mean it won't root? I have one that starts with GA3A....
 
Last edited:

bhiga

Inactive Recognized Contributor
Oct 13, 2010
2,501
1,017
Is this still possible? I have 3 unrooted Chromecasts I would like to root. I went to the Teensy 2++ link but it shows 1 USB plug with a bunch of pins on the bottom, how exactly do you use this thing?

Thanks!

EDIT: NVM, you program the Teensy, then then Teensy programs the CC, correct? :) Also, my CC's have SN#'s other than 3C, does that mean it won't root? I have one that starts with GA3A....
Yes you program the Teensy then it does the magic to inject the vulnerable bootloader.

The serial doesn't matter so much as the firmware build on the Chromecast. Anything build 19084 or newer is NOT rootable.

Sent from my SAMSUNG-SM-G900A using Tapatalk
 

m4f1050

Senior Member
Apr 20, 2007
1,994
207
Yes you program the Teensy then it does the magic to inject the vulnerable bootloader.

The serial doesn't matter so much as the firmware build on the Chromecast. Anything build 19084 or newer is NOT rootable.

Sent from my SAMSUNG-SM-G900A using Tapatalk

Yeah, kept reading and found out, thank you for clarifying. Wonder if there are any CC's out there unopened with vulnerable bootloaders....?

What would be cool is if they could find a way to flash these or a way to reload it's original firmware somehow (if there is one, kinda like a recovery partition on a PC)
 

bhiga

Inactive Recognized Contributor
Oct 13, 2010
2,501
1,017
Yeah, kept reading and found out, thank you for clarifying. Wonder if there are any CC's out there unopened with vulnerable bootloaders....?

What would be cool is if they could find a way to flash these or a way to reload it's original firmware somehow (if there is one, kinda like a recovery partition on a PC)
There are still rootable CCs out in the wild, but they're increasingly difficult to find.

Chromecast is "tough" because it has a secure boot (at least past the original build 12072) - and only Google-signed code can run.
HubCap gets around this in vulnerable builds via its exploit.

So there are two known ways to run non-Google code on firmware prior to build 19084:
  1. Original build 12072 bootloader
    Did not perform signature check, so any code can be run. This is what FlashCast uses to flash ROMs and mods.
  2. Bootloader in builds prior to (and not including) 19084
    Vulnerable to the HubCap exploit which is used to load its own kernel and patch the Chromecast so it can run non-signed code.
    You can read how it works on fail0verflow's blog.
 

m4f1050

Senior Member
Apr 20, 2007
1,994
207
I wish they did like computers do, you install whatever you want on a PC. First were the phones, now CC.. Thank God they made it legal to unlock phones.... Heck, even Macs will install WIndows and other OS'es... You paid for the darn thing, it's yours, they should let you do whatever you want with it.... (that's my $0.02, doesn't mean they *HAVE* to...but....)
 
  • Like
Reactions: Teknician

bhiga

Inactive Recognized Contributor
Oct 13, 2010
2,501
1,017
I wish they did like computers do, you install whatever you want on a PC. First were the phones, now CC.. Thank God they made it legal to unlock phones.... Heck, even Macs will install WIndows and other OS'es... You paid for the darn thing, it's yours, they should let you do whatever you want with it.... (that's my $0.02, doesn't mean they *HAVE* to...but....)
We've had the discussion elsewhere, but I can't remember where, anyway, with Chromecast being a digital media playback device, Google being Google, and lawyers representing paranoid clients, there's still a lot of fear regarding root and modifications.
It's slowly changing, but I'm pretty sure Google had to make some assurances of device security and such in order to get Netflix to let them include a native app (AFAIK it's the only Chromecast app that runs on the platform itself, rather than being a web app).
In the end, it's all about the content licensing. If all the licensors pulled the rug out from under Chromecast it'd be a $35 HDMI port cover.
I'm just happy my Ultraviolet players and TiVo app have loosened up and work on my rooted phone now - whether it's intentional or not.
 

m4f1050

Senior Member
Apr 20, 2007
1,994
207
Ahh, good ole DRM... Biting us like always... :)

Thanks for the info, good info!
 

Asphyx

Senior Member
Dec 19, 2007
2,151
376
Android Wear
While DRM is a factor the truth is Google basically stripped down the hardware design so much to keep the cost down that even if rooting was easy there isn't much the hardware is capable of doing beyond what it already does.
I'm sure the 2.4 Band limitation on the Wireless is also a result of this cost cutting.
Add to that the fact that Google didn't strangle the App development they way many feared they could via the Whitelisting and really there isn't much reason to root other than to avoid updates, get a web interface (Which Google should have included from the get go) and some advanced features most users will never use.

And while many thought a Chromecast II with better feature set might be available they simply went with the AndroidTV step which incorporates the CCast functionality into a more feature rich design.

Which points to a much bigger problem with Google...
They never seem to stick with anything for very long and leave it's users chasing after whatever device or feature Google has decided to put that desired functionality into.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 113
    Dear XDA Users,

    We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).

    Requirements


    Instructions

    1. Install the appropriate Teensy Root Package on your device.
      • If New In Box device, use 12940 otherwise use 16664.
      • Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
    2. Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
    3. Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
      • The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
    4. Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
      • If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
    5. After about 5 minutes, the Chromecast should reboot and your device should now be rooted!

    Having Problems?

    • “I am using a USB hub with a OTG cable, why is it not working?”
      • This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
    • “How can I tell if the root is running?”
      • If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.

    Created By

    @fail0verflow
    @gtvhacker
    @Dev_Team_Eureka

    Shoutouts

    Google Inc. - Thanks for the awesome device, now add fastboot support
    XDA-Developers - For being the home of Chromecast Development

    Download

    Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
    Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip


    Source:
    GitHub: https://github.com/axoltl/HubCap
    10
    HEADS UP: Seems that google HAS PATCHED the HubCap exploit in the latest OTA (19084), but did not post the source for it (to keep us guessing?). Please avoid this OTA if you want root!
    9
    8
    I am running 17977 firmware. The micro is verified as a usb hub and has been flashed with the correct file.

    So you're past step 2:
    1. Get all the needed hardware (compatible board & USB OTG cable with power).
    2. Get it flashed correctly with the right version hex file.
    3. Get the Chromecast to load the exploit payload.
    4. Load Eureka to the Chromecast from your flash drive.

    Here's a hex file compiled for the Leonardo/Micro, firmware >= 16664. Give this a try. It shouldn't magically make things work, but it should let you know that you've got the timing right for step 3. The only tricky part I noted was getting the timing right on when to release the CC button. Too early, and it goes to blinking white. For me, what worked was releasing it just after the CC turned red, but it took a few minutes of trial & error.
    7
    Brilliant -- working through the steps now!

    One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list. :D

    UPDATE: worked like a charm!
    rooted.jpg


    The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around. ;)

    Thanks again for all your work, guys!