Related
Update
Since this thread seems to have become quite popular, I thought I'd update it to give people all the newest information in one place.
Since I've made this post, there has been another OTA (build 12940) that improves bootloader security even further and prevents some potential root methods which were being developed for 12840. As of now, neither build 12840, build 12940, nor build 13300 has a published root method. New units have the patched bootloader preloaded from the factory and are not rootable. If you buy a unit at this point, there is a good chance that you will get one that is patched. (EDIT 2013-10-22: People are reporting that units they have purchased from Best Buy and Amazon are still running the vulnerable build. It is unclear if this is simply old stock or if there are still vulnerable units being produced.)
As for the methods described below, they cannot be performed through a shell (i.e. telnet) since the root filesystem is formatted as squashfs, which is read-only. Instead, the root images must be manually repacked for each OTA and flashed using a USB drive with an image such as FlashCast. @ddggttff3 maintains a FlashCast mod to update Chromecasts to the latest firmware without losing root, which can be found here.
For those of you who have managed to keep your vulnerable bootloaders, keep your eyes out. There should be some very cool releases in the near future.
Original post
As can be seen in this commit to Google's Chromecast source mirror, firmware version 1.1 adds a check for the result of image verification on line 755. This check will cause GTVHacker's USB image to fail to boot, and you will not be able to obtain root. Even if another root exploit is found, it seems very unlikely that it will be as clean or simple as the one which exists now, which simply uses version 0.7's unlocked bootloader to flash a new system image.
Unfortunately, I don't have a Chromecast to test on, so I cannot recommend a method of disabling OTAs. However, from looking at the system image, there are a few possibilities I see. THE FOLLOWING METHODS ARE UNTESTED AND ARE NOT GUARANTEED TO WORK OR LEAVE YOUR CHROMECAST IN A WORKING STATE. PERFORM THEM AT YOUR OWN RISK.
After telnetting into your rooted Chromecast or otherwise obtaining a root shell, you can try these two possible methods
Rename otacerts.zip to otacerts.zip.bak in /system/etc/security/. This may remove the OTA signing keys and cause the Chromecast to reject any OTAs. However, I do not know whether this file is actually used or whether is simply a remnant from Chromecast's Android base.
Replace /chrome/update_engine with an empty, executable, shell script (make sure to make a backup copy first). I am very unsure of this method, since it is simply going off the name of the update_engine binary. If update_engine happens to perform some task core to the system, doing this will leave your device in an unusable state. If this happens, simply re-rooting using GTVHacker's USB image should restore your system to how it was.
Again, I am not responsible for any bricked Chromecasts which may result from attempting this. If you do try either method, please report whether or not it appeared to work or have any ill effects.
Any idea when they'll push the update?
xuser said:
Any idea when they'll push the update?
Click to expand...
Click to collapse
According to Google, it's rolling out now.
Thanks for this, just checked my unit, which is still on the old version. Am waiting for my cable to get here so I can root it, so glad I caught it before it updated!
Looks like the update will be automatic and my Chromecast is plugged up at home (connected to wifi). Hope it doesn't get pushed today. My powered USB OTG cable hasn't arrived yet so I can't even root it ATM.
Sent from my GT-N5110 using Xparent Green Tapatalk 2
joshw0000 said:
Looks like the update will be automatic and my Chromecast is plugged up at home (connected to wifi). Hope it doesn't get pushed today. My powered USB OTG cable hasn't arrived yet so I can't even root it ATM.
Sent from my GT-N5110 using Xparent Green Tapatalk 2
Click to expand...
Click to collapse
find out the server name/ip for the OTA update, block it on your router
paperWastage said:
find out the server name/ip for the OTA update, block it on your router
Click to expand...
Click to collapse
Here are the URLs:
Stable channel updates http://goo.gl/3yy01K
Beta channel updates http://goo.gl/53l5sA
Dev channel updates http://goo.gl/JVkHhl
Weird...when I just loaded those, the stable channel has the highest build number. Stable is at 12840 (which is the update that is rolling out now), Beta is at 12726, Dev is at 12819
paperWastage said:
find out the server name/ip for the OTA update, block it on your router
Click to expand...
Click to collapse
I wont be home until later tonight.
Sent from my GT-N5110 using Xparent Green Tapatalk 2
also, i'd assume replacing /boot/recovery.img with a custom recovery or just removing it would also prevent updates. not sure though, I also don't have a chromecast.
also, if you are feeling adventurous, try this: http://db.tt/Ja1XBNgH. if it works, you'll have the latest software, root, and no updated bootloader. if it doesn't work, you might be able to recover by using gtvhacker's image. no promises though, since I don't own a chromecast, I cant test it. Don't blame me if your chromecast quits working, explodes, kills your puppy, or hands north korea some working nukes.
@xuser your signature made me think there was an actual bug on my screen. I tried to kill it, but it ignored my attempts and kept crawling around under the glass
[removed]
Wouldn't it be possible to flash build 12072 back onto the device (since it is signed by Google), and then root it using that build? That is a fairly common practice for many devices that have exploits in early releases. Is there a copy of the image for build 12072 floating around yet?
It's possible. But it seems like more and more manufacturers are preventing downgrading. Who actually manufacturers this thing?
Sent from my SCH-I545 using Xparent Green Tapatalk 2
the chromecast seems to have a recovery mode (like android) that flashes update zips (like android). so if we found a google signed update for the original firmware that includes flashing the insecure bootloader, then downgrades are possible. but the update zips posted above include a build date check,which means you have to either modify your build.prop (requires root, which is what we are trying to accomplish) or modify the update zip (which will make it no longer google signed and valid, so it would need a custom recovery. which requires root). so, unless google lets us, downgrading is not possible.
I'm still hoping that google built in a dev-mode, like their chrome os devices.
Hmm I wonder if I were to order one now would it come with the old software or the new update?
I'm guessing that it would still be on the old build (assuming you get it shipped soon, or pick it up at Best Buy). My Chromecast sticks still haven't updated to the latest build.
joshw0000 said:
Who actually manufacturers this thing?
Sent from my SCH-I545 using Xparent Green Tapatalk 2
Click to expand...
Click to collapse
Good question.
mine updated itself today and lost root
no one tried my image yet?
I'm curious if you had your Chromecast powered off during the day today. And if so, did you see it update when you turned it on?
I have been using my Chromecast to stream music all day, and so far it hasn't updated to the latest build. I would assume as long as the Chromecast is off or in use casting then the update will not be performed.
Louer Adun said:
I'm curious if you had your Chromecast powered off during the day today. And if so, did you see it update when you turned it on?
I have been using my Chromecast to stream music all day, and so far it hasn't updated to the latest build. I would assume as long as the Chromecast is off or in use casting then the update will not be performed.
Click to expand...
Click to collapse
I've turned it off a few times but it finally updated ~30 min ago.
Here we have a Flashcast flashable zip with the 13300 system and kernel, which has telnet&ADB enabled, and OTA updates disabled.
Downloads:
[PwnedCast, Replacement for this ROM]: http://forum.xda-developers.com/showthread.php?t=2515799
Old Downloads:
[V1.1 - Sep 26th]: https://mega.co.nz/#!BBllzagT!K5-OenCZNz-0f7n6XJ8ubS9roOwtxEWt3Eq54GJMqE0.
[V1.0 - Sep 21st]: https://mega.co.nz/#!hZ1ClT6T!ZNBzuzlkyZUtMMivozTGnngXPzJb7ZHlNit-c7xlCV4
Install Instructions:
Setup and Install Flashcast on a Jump Drive: http://forum.xda-developers.com/showthread.php?t=2452838
Download, and put eureka_image.zip on your Flashcast jump drive. do NOT rename the file!
Plug the Flashcast jump drive into the chromecast, hold the button, and plug in power to boot the device.
Flashing will take 5~ minutes, be patient! As long as the chromecast LED is white, it is working.
Once done, the device will reboot
Enjoy a update free, rooted system!
Thanks To:
GTVHacker
tchebb
tvall
ften
Anyone Else I Missed!
Changelog:
1.1 - Added Custom Boot Animation
1.0 - Initial Release
Extras:
Custom Boot Animation: https://mega.co.nz/#!lY8GmQiZ!ORKufk5pGXyj4uhx0xGtD3wi2BtiZZEMmOPDiYlxNTE
(This is NOT a full ROM, so this must be flashed over the firmware. If you are on version 1.1, this will not change anything. Use this to upgrade from 1.0 to 1.1 without doing a factory reset)
Expect some cool new features to show up in the next release, which will be when the new OTA hits. I'm talking SSH, DHCP DNS, and some other secret goodies.
Great work! Now I can stop screwing with a device I don't own.
I tried the above steps... I had a white light then it rebooted and gave me a red light. I proceeded anyways and threw the eureka file on the drive and then held that little button down FOREVER! it was white the whole time... it then tried rebooting but no image came up. I released the button and waited... just a white light and a black screen. I yanked everything and tried just firing it up like normal... it never shows starting chromecast it just is a black screen....
(So I had your instruction page up on my TV screen but after the reboot nothing came up it was just black with a white light) and then i tried a normal boot... nothing happens. i get no starting chromecast...
any thoughts?
doctordroid said:
I tried the above steps... I had a white light then it rebooted and gave me a red light. I proceeded anyways and threw the eureka file on the drive and then held that little button down FOREVER! it was white the whole time... it then tried rebooting but no image came up. I released the button and waited... just a white light and a black screen. I yanked everything and tried just firing it up like normal... it never shows starting chromecast it just is a black screen....
(So I had your instruction page up on my TV screen but after the reboot nothing came up it was just black with a white light) and then i tried a normal boot... nothing happens. i get no starting chromecast...
any thoughts?
Click to expand...
Click to collapse
You don't need to hold the button down the entire time (although it shouldn't hurt). You should only need to hold it for about 5 seconds after you connect the power for the Chromecast to boot off USB. It sounds like you're doing everything correctly, but not waiting long enough for the image to flash. If you see both the instructions screen and a white light, FlashCast is in the middle of flashing. Unless the light turns red, it will automatically reboot when it's done.
tchebb said:
You don't need to hold the button down the entire time (although it shouldn't hurt). You should only need to hold it for about 5 seconds after you connect the power for the Chromecast to boot off USB. It sounds like you're doing everything correctly, but not waiting long enough for the image to flash. If you see both the instructions screen and a white light, FlashCast is in the middle of flashing. Unless the light turns red, it will automatically reboot when it's done.
Click to expand...
Click to collapse
I did a second time and it now showed starting chromecast but never booted up. So this time I am doing it over and I let go the light is white... When will I know it is all done flashing??? Won't the light always stay white? I am waiting for a reboot shoudl I just let it do its thing and it will automatically reboot and start up normally if all went well or do I need to disconnect the OTG cable?
Just got a Chromecast so pardon the super noob question. If the Chromecast updates itself automatically to the newest update, will I still be able to flash this? Thanks!
doctordroid said:
I did a second time and it now showed starting chromecast but never booted up. So this time I am doing it over and I let go the light is white... When will I know it is all done flashing??? Won't the light always stay white? I am waiting for a reboot shoudl I just let it do its thing and it will automatically reboot and start up normally if all went well or do I need to disconnect the OTG cable?
Click to expand...
Click to collapse
Yes, just wait for it to reboot on its own. It will boot into the normal image unless you hold the button, so it doesn't matter whether or not you have the OTG cable connected.
its working!!!! its working!!!!!!!:good::good::good::good::good::good:
---------- Post added at 08:49 PM ---------- Previous post was at 07:55 PM ----------
Gwanatu said:
Just got a Chromecast so pardon the super noob question. If the Chromecast updates itself automatically to the newest update, will I still be able to flash this? Thanks!
Click to expand...
Click to collapse
no. it will not. the updates patch the hack
flashed over fine here, setting it up now. thanks! :good:
Gwanatu said:
Just got a Chromecast so pardon the super noob question. If the Chromecast updates itself automatically to the newest update, will I still be able to flash this? Thanks!
Click to expand...
Click to collapse
someone correct me if i'm wrong, but i'm pretty sure if you've received an update you won't be able to flash (unless a new exploit has been found).
Gwanatu said:
Just got a Chromecast so pardon the super noob question. If the Chromecast updates itself automatically to the newest update, will I still be able to flash this? Thanks!
Click to expand...
Click to collapse
Any chromecast that has been updated with any official OTA will be unable to use this. All of our current root methods require the insecure bootloader, which came stock with the chromecast. any OTA would have updated, and secured the bootloader.
when reading the instructions it says to copy the eureka.zip file to the usb and install to the chromecast. my light stays red and wont install.the link to flash cast shows copy the file with win32disk imager in the .bin file format. eureka.zip is about 85 megs and flashcast.bin is about 20 megs.
what am i missing? i thought that you can only install in a .bin format.help please.thank you.
am i supposed to use win32disk imager with flashcast.bin then eureka.zip?
Hulkanator said:
when reading the instructions it says to copy the eureka.zip file to the usb and install to the chromecast. my light stays red and wont install.the link to flash cast shows copy the file with win32disk imager in the .bin file format. eureka.zip is about 85 megs and flashcast.bin is about 20 megs.
what am i missing? i thought that you can only install in a .bin format.help please.thank you.
am i supposed to use win32disk imager with flashcast.bin then eureka.zip?
Click to expand...
Click to collapse
First you win32disk the FlashCast.bin from the other thread, and then boot it on the chromecast as is. You do this to install FlashCast to the drive. After a bit, the chromecast should reboot. Once it does, take the jump drive, plug it into a PC, and then put the eureka_image.zip on the jumpdrive. Now boot the jumpdrive on the chromecast again, and it will install the ROM.
tl;dr Read this thread, and the FlashCast thread fully.
rooted 13300 via OTA
I was wondering what is blocking us from doing a DNS hijack and do the same rooted image update via OTA method?
The below thread mentions about the OTA request response:
http://forum.xda-developers.com/showthread.php?t=2450120
So can't the response be hijacked from a local webserver and serve the rooted image as update?
-morchu
morchu said:
I was wondering what is blocking us from doing a DNS hijack and do the same rooted image update via OTA method?
The below thread mentions about the OTA request response:
http://forum.xda-developers.com/showthread.php?t=2450120
So can't the response be hijacked from a local webserver and serve the rooted image as update?
-morchu
Click to expand...
Click to collapse
All official OTA updates are signed by google, so any modified zip's would fail to flash once loaded into recovery. They also check the firmwares build date to make sure no one downgrades.
Thanks. Obviously !!!
Forgot the fact that google want this to be closed system.
So I believe it is only authentican enabled at this point. Possibly the images may become encrypted in future, if google want to keep it closed.
ddggttff3 said:
All official OTA updates are signed by google, so any modified zip's would fail to flash once loaded into recovery. They also check the firmwares build date to make sure no one downgrades.
Click to expand...
Click to collapse
morchu said:
Thanks. Obviously !!!
Forgot the fact that google want this to be closed system.
So I believe it is only authentican enabled at this point. Possibly the images may become encrypted in future, if google want to keep it closed.
Click to expand...
Click to collapse
i'm hoping on one of those smart kids out here who find a way to flash the last 13300 build.
raydekok said:
i'm hoping on one of those smart kids out here who find a way to flash the last 13300 build.
Click to expand...
Click to collapse
Unless we find a way around the bootloader, flashing won't be happening any time soon. Root shell access may be possible though.
ddggttff3 said:
Unless we find a way around the bootloader, flashing won't be happening any time soon. Root shell access may be possible though.
Click to expand...
Click to collapse
Ok ok tell me how. I Will wait and see
Verstuurd van mijn GT-I9100 met Tapatalk
raydekok said:
Ok ok tell me how. I Will wait and see
Verstuurd van mijn GT-I9100 met Tapatalk
Click to expand...
Click to collapse
There is no method or way as of yet, but if anything is found I am sure it will be shared in this forum.
First of all, thank you, @ddggttff3, for all the work you, and all other devs, are putting into this device.
Got this flashed over tvall's image.
Looks like it flashed OK: saw the info screen during flash, then it rebooted and set up screen came up.
A couple of questions:
Q1: is it suppose to say in Chromecast app: Firmware 13300 ?
Q2: I can Telnet and adb into the ChromCast fine. But after flashing this, I can't ssh in anymore... is it turned off?
Thanks
I have finally received my powered OTG cable and am ready to root my chromecast, which has a vulnerable bootloader and hasn't been used. When I first looked at XDA, it seemed there was only the "GTV" method of rooting the device. I now see there is a "Flashcast" method. Which method is suggested?
Medicstud007 said:
I have finally received my powered OTG cable and am ready to root my chromecast, which has a vulnerable bootloader and hasn't been used. When I first looked at XDA, it seemed there was only the "GTV" method of rooting the device. I now see there is a "Flashcast" method. Which method is suggested?
Click to expand...
Click to collapse
Flashcast is the new suggested method because it provides a lot of cool features, such as the ability to flash mods and update the kernel.
Thanks! I'm in the process of flashing now. How can I tell if when its complete?
Followup question: How do I flash additional zips as they become available such as change DNS to unlockable
Medicstud007 said:
Thanks! I'm in the process of flashing now. How can I tell if when its complete?
Followup question: How do I flash additional zips as they become available such as change DNS to unlockable
Click to expand...
Click to collapse
You can tell flashcast is setup successfully when the device reboots back to the normal firmware, and when you plug the jumpdrive into a computer, it now shows as formatted so you can put files on it.
As for flashing, put one file on the jumpdrive at a time, named eureka_image.zip, and boot the jump drive. when it is done flashing, it will reboot the chromecast normally back to the OS. so you must flash one file at a time. Multiple file flashing is a feature that I believe is currently being worked on for flashcast.
Just wanted to confirm that I have locked the root by updating to 13300 build. Did I?
I did not even think before updating to the latest version and when i did, it was too late. Hopefully, sm1 will be able to break it. Thanks.
Mef.
mefistofel666 said:
Just wanted to confirm that I have locked the root by updating to 13300 build. Did I?
Click to expand...
Click to collapse
If it auto-updated at all (not that it gives you a choice) and you were not already using a rooted firmware like PwnedCast, then yes, you no longer have root and cannot get root by any of the current means (Flashcast).
PwnedCast has an auto-update function that updates to new versions that preserve root.
Hopefully there will be other root methods discovered after the SDK is released, but until something new pops up, you can only use the Google-supplied apps - in other words, your Chromecast is "just" a regular Chromecast.
bhiga said:
in other words, your Chromecast is "just" a regular Chromecast.
Click to expand...
Click to collapse
By "Regular Chromecast" you mean "a lemon" right?
still no luck?
still nothing on rooting 13300?
mefistofel666 said:
still nothing on rooting 13300?
Click to expand...
Click to collapse
No, and build 14651 is rolling out for stock Chromecasts. It's a moving target, unless a vulnerability is found in the SDK, but first the SDK needs to be released.
Watch out if you are planning to root! Currently we do not know if this prevents new root!
New firmware 19084 was released yesterday. It predictably does not mention anything about fixing new root exploit, but anybody who would like to attempt root in future should prevent his Chromecast from updating.
https://productforums.google.com/forum/#!topic/chromecast/FOIWpJydK9Y
Thanks for the update! From google source site, it looks like they have yet to patch the new exploit, but until I have a copy in-house to test with, I can not confirm this.
They might purposefully neglect to mention any patch of the exploit in hopes of catching people by surprise....
Munch better safe than sorry for those who are still waiting for a teensy to root
HEADS UP: Seems that google HAS PATCHED the HubCap exploit, but did not post the source for it (to keep us guessing?). Please avoid this OTA if you want root!
How can we see which firmware is currently installed on the chromecast? I connected it back to my tv with router off so it can't update, but I see no info concerning firmware.
TRoN_1 said:
How can we see which firmware is currently installed on the chromecast? I connected it back to my tv with router off so it can't update, but I see no info concerning firmware.
Click to expand...
Click to collapse
Use the CCast setup app....
But I suggest you disconnect the Internet from the router before you check...
Asphyx said:
Use the CCast setup app....
But I suggest you disconnect the Internet from the router before you check...
Click to expand...
Click to collapse
I more than suggest. I don't know when it started, but the current Chromecast app will try to force an update before it completes setup.
I still have version 17977
I am not rooted I am hopping this new update allows native screen mirroring.
shamelin73 said:
I still have version 17977
I am not rooted I am hopping this new update allows native screen mirroring.
Click to expand...
Click to collapse
Screen mirroring is already available...A new update isn't going to change anything about that if you can't mirror already the issue is your phone or tablet not the CCast.
SO if you want to root I suggest not taking the Update until you do, You are not going to gain anything just lose the ability to root.
Asphyx said:
Screen mirroring is already available...A new update isn't going to change anything about that if you can't mirror already the issue is your phone or tablet not the CCast.
SO if you want to root I suggest not taking the Update until you do, You are not going to gain anything just lose the ability to root.
Click to expand...
Click to collapse
I am guessing I don't know how to get it to work then. I thought the Moto X was not supported yet till the update but I am guessing it is an update to the phone that I need.
Sent from my XT1053 using Tapatalk
shamelin73 said:
I am guessing I don't know how to get it to work then. I thought the Moto X was not supported yet till the update but I am guessing it is an update to the phone that I need.
Sent from my XT1053 using Tapatalk
Click to expand...
Click to collapse
Yes it is most likely the phone side that is the issue...
The Mirroring works for the devices that support mirroring and it is unlikely to change much in an update.
All the CCast does is receive a stream....the Phone/Tab does the majority of the work by creating the stream and not all units have the ability to do that yet.
Besides...Even if you root the CCast it won't take long for Team Eureka to update the rom to get any goodness the newest update has in it....
So even after you root if there DOES happen to be something that allows your phone to mirror you will get it in Team Eureka Rom soon enough.
If you have a Chromecast "tucked away" waiting to be rooted you might want to turn off WiFi and factory reset it so it has no ability to update when you power it up for rooting later.
Anyone know when the update mentioned in the io will be pushed?
Deeco7 said:
Anyone know when the update mentioned in the io will be pushed?
Click to expand...
Click to collapse
Been pushed already! SO if you haven't rooted yet and your unit has gotten the update your SOL...
It should also be noted, that once you get this update, a factory reset COULD essentially brick the device, or at least give you problems.
Sources:
https://plus.google.com/110558071969009568835/posts/QUjWK6fkHNR
...and
https://plus.google.com/110558071969009568835/posts/cEhdykfYstF
mdamaged said:
It should also be noted, that once you get this update, a factory reset COULD essentially brick the device, or at least give you problems.
Sources:
https://plus.google.com/110558071969009568835/posts/QUjWK6fkHNR
...and
https://plus.google.com/110558071969009568835/posts/cEhdykfYstF
Click to expand...
Click to collapse
Looks like they tried to push out an update to fix the new root exploit too quickly.
where is my backdrop? ;_;