Related
Has anyone seen in the news the electronic readers the government is using which is capable of illegally stealing all private information from any type of smart phone?
Can anybody create a mod that will block a device like this from being used on the Nexus one?
http://www.prisonplanet.com/cops-us...l-cellphone-data-from-innocent-americans.html
Do you really believe what you read?
Say, 16GB of photos&data on iPhone, 1.5 minutes, count required transfer rate - quite simple - and then tell me, what kind of wireless connectivity does this "device" use to "steal data from unsuspecting people"?
Then ask yourself the first question again.
Now, if you look up the stated device's manufacturer site, http://www.cellebrite.com/forensic-products.html, you'll see that even in their photos it's perfectly clear this device has to be connected by wire to the phone. Does anyone in their right mind willingly connect the phone by USB to some device with unknown functionality? In that case, no, the data can't be protected.
Now, if you go even one more step further, and open the "supported devices" catalog on the site, you'll see that the only thing that can be done wireless to the iPhone is extracting phonebook - and I'm not sure about the requirement to allow the BT connection - but if you look up Nexus One, you'll see that it definitely has to be attached by wire to do anything with it.
And now back to the first question: do you believe everything you read?
Jack_R1 said:
Do you really believe what you read?
Say, 16GB of photos&data on iPhone, 1.5 minutes, count required transfer rate - quite simple - and then tell me, what kind of wireless connectivity does this "device" use to "steal data from unsuspecting people"?
Then ask yourself the first question again.
Now, if you look up the stated device's manufacturer site, http://www.cellebrite.com/forensic-products.html, you'll see that even in their photos it's perfectly clear this device has to be connected by wire to the phone. Does anyone in their right mind willingly connect the phone by USB to some device with unknown functionality? In that case, no, the data can't be protected.
Now, if you go even one more step further, and open the "supported devices" catalog on the site, you'll see that the only thing that can be done wireless to the iPhone is extracting phonebook - and I'm not sure about the requirement to allow the BT connection - but if you look up Nexus One, you'll see that it definitely has to be attached by wire to do anything with it.
And now back to the first question: do you believe everything you read?
Click to expand...
Click to collapse
But, it's on the internet, why would the internet lie? Are you calling the internet a liar?
I believe that if you soak your phone in warm, salty water overnight it will block this device - haven't tried though, so I can't confirm...
Umm... those Cellebrite devices are very real, and Michigan police are/were using them. The have the ability to pull the data off of thousands of different types of phones, over USB. I've never see Android specifically listed on their site, but I'd be willing to bet their devices can pull data from Android too.
That being said, I can't believe people are handing over their phones. This whole thing stinks of illegal search and seizure. But, they're getting away with it by saying the person willingly handed over their phone (even though I'd bet they're being coerced), There would be absolutely no way I'd hand my phone over to any LEO with out seeing a warrant first.
I was just mulling this over in my head... and I think the only way to block something like this would be to disable the data port on the phone. What that would involve from a software stand-point, I have no idea, and may not even be possible with how the hardware/software is designed... but that is basically the only way I'd see it to be possible.
Removing the USB driver (device functions) from the kernel would be enough, I believe.
In order for adb to work, you have to enable usb debugging. Wouldn't that be a requirement with this device, also?
ok just because I pulled this from prison planet doesn't mean its not true, it was the most convenient link at the time and hours later it was on front page of yahoo and all the major news sites. it would be easy for a police man to take your phone from you and hook it up to whatever they want.
Yep, saw it tonight on NBC Nightly News with Brian Williams. Looks scary with some cops not using warrants to get your phone on a traffic stop...
So apparently, I can't bring my laptop everywhere to get my thing done, but I had a thought of referring that to my phone. I find any trusted app/script to get the packets to cap file that would sit down in my sd card for further use. I'm not some evil mastermind that would go stealing anything(don't need anything now dough) This is purely for learning since I'm still learning about IT but trying to get ahead and since android is something that I'm still not sure of how it works.
And my other question: How can I get video calling on skype? I'm assuming it should work with GindgerDX but it doesn't.
Bahurs1 said:
So apparently, I can't bring my laptop everywhere to get my thing done, but I had a thought of referring that to my phone. I find any trusted app/script to get the packets to cap file that would sit down in my sd card for further use. I'm not some evil mastermind that would go stealing anything(don't need anything now dough) This is purely for learning since I'm still learning about IT but trying to get ahead and since android is something that I'm still not sure of how it works.
Click to expand...
Click to collapse
The question is ... why would you want to run a packet capture? The payload data in the packets is encrypted anyway - so there's no real way to (assuming evil intentions) crack down on the convos of other users being in the same WLAN/LAN segment. If you're worried about Man-in-the-middle attacks take my word that it won't work. If you wiretap a Skype<->Skype chat/call via a man-in-the-middle attack the connection would fail as Skype would recognize that the end-to-end encryption is borked.
Anyhow, whatever your idea is ... Google for "Pixie" ... that's a network sniffer for Android, and the only one I happen to know (as real men use tcpdump or Wireshark for network analysis anyway).
Bahurs1 said:
And my other question: How can I get video calling on skype? I'm assuming it should work with GindgerDX but it doesn't.
Click to expand...
Click to collapse
No. Skype Video only works on a selected range of devices (read up on the description in the Market) having a FRONT camera (a camera that's facing you and not a camera that's at the back of your device facing away from you).
Look around on XDA/Google (in other words: SEARCH!) and you will find out that there's a hacked version that has Video enabled for some additional devices, though I don't know if that would support the back camera of the W8/X8.
Yeah I'm kinnda sorry for the dumb question about skype cause I just always forget to look it up when I sit down on the web.
As for the sniffer thing. I dont know who would ever need to investigate packets affcourse I need to get the password. The sicuation is hard to explain, but lets say I need to prove that 14digs of just numbers is a stupid idea for long range wifi access password.
I cant get my laptop there so I need an alternative to get some packets and then easily get the password at home and as I sayed I'm not a genius in IT but I know how to use some of the features that backtrack provides.
I have just received a chromecast in its box. How can I tell what firmware is on the device? If it is still original firmware I'd like to root it. I didn't see this question posted elsewhere.
You must not allow the chromecast to connect to a wifi ssid / network which has Internet.
In my case, I had an old asus (dd-wrt) router laying around. I powered it up with nothing plugged into it. No rj45 cat 5/6 cables connected. Switched my phone wifi to this wireless ssid network. Ran the chromecast app, it found the chromecast, set up the chromecast to use this no Internet network by selecting it & typing in the router's password. After setting up the chromecast, the app shows the firmware version as being 12072.
If you allow the chromecast to connect to a wifi network which has Internet, then it will quickly auto update to a firmware version which can not currently be rooted
View attachment 2246393
It's tucked away a little in the chromecast app, but this should help some.
Arrow points to the firmware version location
Medicstud007 said:
I have just received a chromecast in its box. How can I tell what firmware is on the device? If it is still original firmware I'd like to root it. I didn't see this question posted elsewhere.
Click to expand...
Click to collapse
Just get the chromcast app and select the chromecast u are using. Then look at pic below should be there.
Sent from the TermiNOTEr 2!
Thank you all my build is 12072 which means I can root it. I believe I saw a thread on here somewhere which gave more detailed instructions on how to root the device. Where is the correct file to flash to root the device without having to worry about pesky updates?
Medicstud007 said:
Thank you all my build is 12072 which means I can root it. I believe I saw a thread on here somewhere which gave more detailed instructions on how to root the device. Where is the correct file to flash to root the device without having to worry about pesky updates?
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=45176635&postcount=133
I suggest you read the beginning few pages of the thread before flashing though.
Dying to know my fw version
Hello,
I've thoroughly read the instructions on how to root my Chromecast. Right after buying it, I set it up and I'm pretty much sure it got the official updates... so I ran to Best Buy to exchange it for a new one.
From thread comments, I know I have a shot at it having a vulnerable bootloader, now my problem is that OTG cables don't seem to exist where I live and I might have to go to Best Buy again to get one (long trip for a cable). Before I do that, I want to be certain that it'll work, but I cannot find where to see the build number. I somehow cannot get to the screen from the pictures.
I'm trying to set it up with a router that has no internet. Since this was a recommended method to check the build number, I thought it was possible, but so far I'm stuck with a message saying that ChromecastXXX connected to yournetwork, but cant access the internet..
At first I thought they had removed that from the Chromecast app, but I have installed the two older apks with the same results.
Could anyone tell me which step I'm missing?
I thought maybe I had this issue, but it's old and I was able to set up the previous Chromecast flawlessly.
keep on trying to make it connect even though there is no internet eventually it will give up and give you the number, thats who i got mine, it will say Chromecast XXX connected to network but cant access internet, and fail but then if you keep going it will eventually show you the build number.
BurnOmatic said:
keep on trying to make it connect even though there is no internet eventually it will give up and give you the number, thats who i got mine, it will say Chromecast XXX connected to network but cant access internet, and fail but then if you keep going it will eventually show you the build number.
Click to expand...
Click to collapse
ugh I did but it just times out and comes back to the same message. Perhaps it is a sign of a new firmware.
it will work dude eventually it will say that it went through even though clearly you havent got internet, and it will show the version number on the app , i did it through my pc not through the phone.
BurnOmatic said:
it will work dude eventually it will say that it went through even though clearly you havent got internet, and it will show the version number on the app , i did it through my pc not through the phone.
Click to expand...
Click to collapse
Thanks!. Got it working now. Somehow it never worked at home but I tried it at work where internet is filtered through mac addresses and that did the trick. Unfortunately it has an updated bootloader.
Not sure how much this will help, but I just went to Best Buy to return the 2nd Chromecast I had bought, since it came with a firmware newer than 12072. When I had purchased my first one, I hadn't done any research on rooting a Chromecast yet, and unfortunately allowed it to receive Google's OTA update. Before returning it, I took a picture of the serial number, pictured below. Tonight I decided to just get a refund at first, but then decided to take one third and final stab at getting one with a vulnerable bootloader. Thankfully, I kept the picture of the first one's serial number, and used it to compare against all of the Chromecasts that Best Buy had in stock. I only found one that began with "390...", since my originally purchased one began with "3901...". I live about an hour away from the closest Best Buy, so I decided to ask someone in Geek Squad if I could test it out to make sure it had the old firmware on it. He checked with someone else and was given the go ahead. We didn't plug it into the HDMI port, but he allowed me to plug it in to the USB port on a TV. Using the powered OTG micro USB cable I got in the mail today and a FlashCast drive I had created, I held the Chromecast button down and plugged the micro USB cable into the Chromecast. I waited to see if it the red light would go away after about 9 seconds, and VOILA, it did. I'll soon officially test it out on my TV so that I can see if the FlashCast logo comes up on the screen, and I will report back.
EDIT: Sorry for the delay in reporting back. Looks like the 3rd time was a charm, and the Chromecast I purchased last finally worked. So it looks like it's safe to at least assume that Chromecasts with serial numbers that begin with at least "390", with a range between "3901..." and "3907..." may have vulnerable bootloaders. Not to say this is the end all be all if figuring this out, but the guesswork might be if some use for now, until all the old stock gets sold completely.
Sent from my HTC One using Tapatalk
Damn. I bought my chrome cast the other day and allowed it to update without knowing any of these forums existed
sent from a LG-MS870 using Katana v3 ROM by GT
I picked up 2 chromecast's over the weekend from Best Buy (Mall of America). The first one had a 3Axxxxxxxx SN and was at 12940. The second one was a 39xxxxxx and was at 12072.
Versions with 12072 are still out there. Look for CC's with SN starting with 39 or 37.
guy4jesuschrist said:
Not sure how much this will help, but I just went to Best Buy to return the 2nd Chromecast I had bought, since it came with a firmware newer than 12072. When I had purchased my first one, I hadn't done any research on rooting a Chromecast yet, and unfortunately allowed it to receive Google's OTA update. Before returning it, I took a picture of the serial number, pictured below. Tonight I decided to just get a refund at first, but then decided to take one third and final stab at getting one with a vulnerable bootloader. Thankfully, I kept the picture of the first one's serial number, and used it to compare against all of the Chromecasts that Best Buy had in stock. I only found one that began with "390...", since my originally purchased one began with "3901...". I live about an hour away from the closest Best Buy, so I decided to ask someone in Geek Squad if I could test it out to make sure it had the old firmware on it. He checked with someone else and was given the go ahead. We didn't plug it into the HDMI port, but he allowed me to plug it in to the USB port on a TV. Using the powered OTG micro USB cable I got in the mail today and a FlashCast drive I had created, I held the Chromecast button down and plugged the micro USB cable into the Chromecast. I waited to see if it the red light would go away after about 9 seconds, and VOILA, it did. I'll soon officially test it out on my TV so that I can see if the FlashCast logo comes up on the screen, and I will report back.
Click to expand...
Click to collapse
Sorry for the delay in reporting back. Looks like the 3rd time was a charm, and the Chromecast I purchased last finally worked. So it looks like it's safe to at least assume that Chromecasts with serial numbers that begin with at least "390", with a range between "3901..." and "3907..." may have vulnerable bootloaders. Not to say this is the end all be all if figuring this out, but the guesswork might be if some use for now, until all the old stock gets sold completely.
Sent from my HTC One using Tapatalk
I can verify that 3904 "should" have the original firmware. Spent an hour looking for one, and another 45 minutes making sure that the Wifi, and my phone had no internet connection to them, and then trying to get it to connect fully, so I could see the firmware version. As soon as I switched from using the Chromecast app on my OG RAZR, to using it on my Nexus 7(2), it connected right away .It was the only one they had in the Best Buy near me, that was even close as far as serial numbers go. Time to get my brick..uhh. I mean, unlock on
I can verify that 3As all have newer firmware, thus can't be rooted. I tried two from my local Best Buy
Greetings:
I'm trying to connect without updating since I just got my CC but to no avail since yesterday!!
I'm doing the "no internet router" option but don't even see the "home screen" when I connect
the CC to my TV set!! All I see is few colored "dots"!!
Am I doing something wrong? or do I have a faulty CC?
Any input is much appreciated.
P.S= My phone is a Nexus 4
My CC's SN starts with 3805xxxxxxxxxxx
samteeee said:
Greetings:
I'm trying to connect without updating since I just got my CC but to no avail since yesterday!!
I'm doing the "no internet router" option but don't even see the "home screen" when I connect
the CC to my TV set!! All I see is few colored "dots"!!
Am I doing something wrong? or do I have a faulty CC?
Any input is much appreciated.
P.S= My phone is a Nexus 4
My CC's SN starts with 3805xxxxxxxxxxx
Click to expand...
Click to collapse
Little dots means you are in recovery mode.
Trying installing FlashCast and Custom ROM.
If you know the version is OK before you even connect it to a router and set it up you can setup the root!
mastermind278 said:
Little dots means you are in recovery mode.
Trying installing FlashCast and Custom ROM.
If you know the version is OK before you even connect it to a router and set it up you can setup the root!
Click to expand...
Click to collapse
I certainly didn't do anything to be on "Recovery" partition"!!
I'm not sure what my build/firmware is but I guess I can always
just try to go for "root" and see if it'll happen, right? I mean there
is no harm in that!! I'll get my OTG by Monday so I can try it.
Code:
Sooner or later it will be hard to get a rootable Chromecast. The community is limited by the number of people able to root their own devices. A remote exploit is desirable to expand the community. Please brainstorm and post progress in exploring the targets.
Targets:
Web interface
Chromecast executes commands to start netflix etc with user specified arguments. Arguments are sent through dial interface. From app.conf:
Code:
{ "app_name": "Netflix",
"external": true,
"command_line": "/bin/logwrapper /netflix/bin/netflix_init --data-dir /data/netflix/data -I /data/netflix/AACS -D QWS_DISPLAY=directfb -D LD_LIBRARY_PATH=/system/lib:/netflix/qt/lib -D NF_PLAYREADY_DIR=/data/netflix/playready -D KEYSTORE=/data/netflix/AACS -D KEYBOARD_PORT=7000 -D ENABLE_SECURITY_PATH=1 -D DISABLE_SECURITY_PATH_VIDEO=0 -D DISABLE_SECURITY_PATH_AUDIO=1 --dpi-friendlyname ${FRIENDLY_NAME} -Q source_type=12&dial=${URL_ENCODED_POST_DATA}",
"allow_empty_post_data": true,
"dial_info": "<port>9080</port><capabilities>websocket</capabilities>"
},
FFMPEG vulnerabilities
Intercepting updates (I know, the signatures would likely prevent this.)
Cable based attacks similar to current root methods
Soldering based attacks
Post your ideas and progress.
My chromecast is not rooted, so I can't get logs from netflix being run with different URL_ENCODED_POST_DATA, but we might be able to fork the command.
TVRemoteExploit said:
Code:
Sooner or later it will be hard to get a rootable Chromecast. The community is limited by the number of people able to root their own devices. A remote exploit is desirable to expand the community. Please brainstorm and post progress in exploring the targets.
Targets:
Web interface
Chromecast executes commands to start netflix etc with user specified arguments. Arguments are sent through dial interface. From app.conf:
Code:
{ "app_name": "Netflix",
"external": true,
"command_line": "/bin/logwrapper /netflix/bin/netflix_init --data-dir /data/netflix/data -I /data/netflix/AACS -D QWS_DISPLAY=directfb -D LD_LIBRARY_PATH=/system/lib:/netflix/qt/lib -D NF_PLAYREADY_DIR=/data/netflix/playready -D KEYSTORE=/data/netflix/AACS -D KEYBOARD_PORT=7000 -D ENABLE_SECURITY_PATH=1 -D DISABLE_SECURITY_PATH_VIDEO=0 -D DISABLE_SECURITY_PATH_AUDIO=1 --dpi-friendlyname ${FRIENDLY_NAME} -Q source_type=12&dial=${URL_ENCODED_POST_DATA}",
"allow_empty_post_data": true,
"dial_info": "<port>9080</port><capabilities>websocket</capabilities>"
},
FFMPEG vulnerabilities
Intercepting updates (I know, the signatures would likely prevent this.)
Cable based attacks similar to current root methods
Soldering based attacks
Post your ideas and progress.
My chromecast is not rooted, so I can't get logs from netflix being run with different URL_ENCODED_POST_DATA, but we might be able to fork the command.
Click to expand...
Click to collapse
what if somehow we were able to attack it like jailbreakme used to. Looking at the developer options in chrome you could write a program for your phone that has the cast button when you click it, it'll tell chrome cast to go to the apps domain where it automatically roots for you. I'm no developer, so i don't even know if that kind of hack would even be possible. I did download the cast app for windows and it has a button for factory reset. Would it be possible to hack that chromecast program and change the factory reset to use a hacked pulled firmware?
scarygood536 said:
what if somehow we were able to attack it like jailbreakme used to. Looking at the developer options in chrome you could write a program for your phone that has the cast button when you click it, it'll tell chrome cast to go to the apps domain where it automatically roots for you.
Click to expand...
Click to collapse
This would be extremely difficult to pull off, as you would need to both escape Chrome's sandbox and find a privilege escalation vulnerability in the Linux kernel or a setuid binary. Both Chrome and Linux are extremely mature and secure pieces of software, so vulnerabilities are few and far between and get patched quickly when they are found.
I tried tacking commands onto the tail of the netflix commands like this:
Code:
curl ****192.168.1.126:8008/apps/Netflix -X POST -d "intent=play&titleid=***%3A%2F%2Fapi.netflix.com%2Fcatalog%2Ftitles%2Fmovies%2F70138593;reboot"
, however I can't see the log file without root.
tchebb said:
This would be extremely difficult to pull off, as you would need to both escape Chrome's sandbox and find a privilege escalation vulnerability in the Linux kernel or a setuid binary. Both Chrome and Linux are extremely mature and secure pieces of software, so vulnerabilities are few and far between and get patched quickly when they are found.
Click to expand...
Click to collapse
so is our best bet to find a vulnerability within the hardware level we could utilize and wouldn't have the chance of being patched?
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
ddggttff3 said:
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
Click to expand...
Click to collapse
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
tchebb said:
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
Click to expand...
Click to collapse
The more you know.
Well, while looking through the chromecast's "fts" partition in a hex editor, I found the following variable show up in multiple places.
Code:
device_configured=true
makes me wonder what happens if this is flipped to false. I will look through the bootloader source more to see if it is used at a software level.
EDIT: Doesn't look like it does anything for us, seems to just enable the crash counter.
tchebb said:
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
Click to expand...
Click to collapse
ddggttff3 said:
The more you know.
Well, while looking through the chromecast's "fts" partition in a hex editor, I found the following variable show up in multiple places.
Code:
device_configured=true
makes me wonder what happens if this is flipped to false. I will look through the bootloader source more to see if it is used at a software level.
EDIT: Doesn't look like it does anything for us, seems to just enable the crash counter.
Click to expand...
Click to collapse
ddggttff3 said:
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
Click to expand...
Click to collapse
Maybe I'm missing something, possibly am, but couldn't we dual boot firmwares? Have the normal factory firmware on the eMMC chip, then, install a rooted image to a USB stick. Next solder a different wire to each side of pin 26, finally solder a switch in between. This should force the device to load off the USB rather than eMMC. On paper it works. On the physical device? That could be a bit different. If you do try this, I'll do my best to help you and point you in the right direction.
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
NOTICE: none of these suggested ideas have been used and or tested. They work on paper only! The real device may, and possibly is, different! Attempt at your own risk.
OP, XDA, nor I am responsible for anything that happens to your device. If anything does happen it's completely on you! This is a dangerous hardware mod, I don't recommend if you don't know how to solder. Also, the points for pin 26 are very very small, smaller than some solder iron's tips. All of mine are way too big, and I have bought small tips to use on other mobile devices. If you mess this up there is none to very little chance of going back.
SECOND NOTICE: constantly jumping the 26th pin of the CPU could cause permanent hardware problems. If such problem does happen, it is not known at this time. Once again, this is a dangerous hardware mod that should not be attempted by those who aren't good with soldering.
The good news: if you do attempt this and it works, we could have a hardware way to be rooted. More good news is that if you mess up and can't fix it, then it's only $35 to get a new one.
Aaron Swartz, Rest in Pixels.
jamcar said:
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
Click to expand...
Click to collapse
Just to let you know, a permanent jump to pin 26 will cause the device to not boot, at all. It causes a read interrupt to the EMMC, so if jumped permanently the device will not see the flash, so it wouldn't even load the bootloader. Jumping the pin should ONLY be used if the standard button hold boot process does not work.
jamcar said:
Maybe I'm missing something, possibly am, but couldn't we dual boot firmwares? Have the normal factory firmware on the eMMC chip, then, install a rooted image to a USB stick. Next solder a different wire to each side of pin 26, finally solder a switch in between. This should force the device to load off the USB rather than eMMC. On paper it works. On the physical device? That could be a bit different. If you do try this, I'll do my best to help you and point you in the right direction.
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
NOTICE: none of these suggested ideas have been used and or tested. They work on paper only! The real device may, and possibly is, different! Attempt at your own risk.
OP, XDA, nor I am responsible for anything that happens to your device. If anything does happen it's completely on you! This is a dangerous hardware mod, I don't recommend if you don't know how to solder. Also, the points for pin 26 are very very small, smaller than some solder iron's tips. All of mine are way too big, and I have bought small tips to use on other mobile devices. If you mess this up there is none to very little chance of going back.
SECOND NOTICE: constantly jumping the 26th pin of the CPU could cause permanent hardware problems. If such problem does happen, it is not known at this time. Once again, this is a dangerous hardware mod that should not be attempted by those who aren't good with soldering.
The good news: if you do attempt this and it works, we could have a hardware way to be rooted. More good news is that if you mess up and can't fix it, then it's only $35 to get a new one.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
This wouldn't work with any post-12072 bootloader, since the USB image's signature is still checked. The signature verification would simply fail and the device would fail to boot, same as if.you tried to boot from USB with a button press.
Where is the firmware stored (ie chip)
Inside the Chromecast? My thinking maybe off but is it possible to have the unit boot and load the firmware we want if the firmware is manually written to memory? I have not found much information on the JTAG port, but I see it also has 16gig TSOP as well with a 4 or 8 gig DDR memory. I assume the DDR is used for a buffer for the CPU and the memory in the CPU is for storing the bootloader . so hoping the TSOP is where the firmware is stored. If we were able to write the firmware there would we be able to achieve our needed root, or would the current firmware on the chip be useful for finding an exploit to root?
Would think unless we are changing the bootloader when we root the unit now at low serial numbers I would think it would be the same as is writing a ROM to a phone and using a factory bootloader.
Correct me if I am all messed up here please.
1080xt root 12.15.15
rekids said:
Where is the firmware stored (ie chip)
Inside the Chromecast? My thinking maybe off but is it possible to have the unit boot and load the firmware we want if the firmware is manually written to memory? I have not found much information on the JTAG port, but I see it also has 16gig TSOP as well with a 4 or 8 gig DDR memory. I assume the DDR is used for a buffer for the CPU and the memory in the CPU is for storing the bootloader . so hoping the TSOP is where the firmware is stored. If we were able to write the firmware there would we be able to achieve our needed root, or would the current firmware on the chip be useful for finding an exploit to root?
Would think unless we are changing the bootloader when we root the unit now at low serial numbers I would think it would be the same as is writing a ROM to a phone and using a factory bootloader.
Correct me if I am all messed up here please.
1080xt root 12.15.15
Click to expand...
Click to collapse
That pretty much what FlashCast did until Google plugged the hole that would let you hijack the boot process....
I don't know how diligently some have been looking but since Google plugged that hole there seems to be no way into the CCast anyone can find.
rekids said:
Where is the firmware stored (ie chip)
Inside the Chromecast? My thinking maybe off but is it possible to have the unit boot and load the firmware we want if the firmware is manually written to memory? I have not found much information on the JTAG port, but I see it also has 16gig TSOP as well with a 4 or 8 gig DDR memory.
Click to expand...
Click to collapse
It was written elsewhere that the gtvhacker team found the JTAG pins are disabled at the hardware level.
There was also mention that there may be a device-specific encryption, but no confirmation on that. Someone with an eeprom programmer and soldering station who can swap chips would have to confirm.
That I have (chip programmer and soldering station) just have not decided if it was stored on the 48 pin TSOP as that is the easiest to gain access to. This one of couple of things I would need to know or at least have a good idea about before tearing my noon rooted unit apart for.
IF ... The firmware is stored there and I had an image of the Eureka firmware that needs to be on the TSOP then tearing it apart is worth the test. I don't see the software being encrypted to the device since JTAG has been disabled seams like a lot of work and keys needed for a simple device and low cost but I could be wrong. The other thing I would need to do is go through the data sheet on the TSOP to see if it has a write once area or a locked portion that would require a key from CPU to allow writing, but kinda doubt that.
So if some one has info on the actual image preferably a .bin image of eureka in the correct data location would be great.
My thought is if it is that simple then ISP maybe possible for the average tinker with a simple chip programmer or even make it possible for some one to program on a larger scale for a small fee of like $5 or $10 instead of $100 on EBay or finding the last few with old software out there.
1080xt root 12.15.15
I like this thread hopefully it will be cracked open...just like the ps3 was miraculously despite many theories that it was impossible to hack even after sony plugged the holes again and again
Sent from my Nexus 5 using Tapatalk
Just a small update. Removed the TSOP and went to read it using factory default settings and found the first 141 bocks are invalid and the rest of the chip was blank "FF". Changed the settings to not skip over the 141 blocks and got a 2 gig data file. Not sure if this a good thing yet need to sort through to see if any of the data is intact valid. My Chromecast is using current firmware. The TSOP does hold 16gigs of data. Only data seen so far is up to data block 3F3C000 then blank from that point on.
Could really use another TSOP from another Chromecast even a dead one for comparison.
1080xt root 12.15.15
Not sure, but maybe @Team-Eureka has a dead CCast they can donate/lend to your effort...
Need some help from some one who knows a few things about the Chromecast.
What I able to do right now is read and write what ever is stored on the 16 gig TSOP that is in the Chromecast. As far as I can see this is where the firmware should be stored.
The idea is to write the firmware that is desired to the TSOP and have the Chromecast boot that software instead.
Problem ... The data that is recovered from my Chromecast that is up to date has about 200-500 MB of data towards the beginning of the blocks and a few more MB just before the end of the blocks. The total .bin file is about 2.2 gigs. When viewing the contents of the .bin there is no readable text (example "Google , version, build" and so forth) and there is usually at least something in text format when viewed in WinHex of other devices that I have read and written to in the past.
What I don't know is where exactly is the TSOP the firmware begins or ends, location of checksum (s) and an image of Eureka firmware as it is written on the TSOP.
Possible solution is a TSOP that has had the firmware already loaded or an image of that TSOP or possibly even the rootable firmware image.
Any help is great. I have been on the IRC channel of Eureka and Gtvhacker and asked there but had no response.
The programmer I have is an older Dataman 48pro (newer version is more efficient and does multiple chips at once) it is very reliable and takes about 20 minutes for a complete read of the 16 gig TSOP. The chip does need to be removed and placed in the adapter to read since ICP is not spotted by the TSOP and from my research the JTAG or UART has been disabled I suspect with in the processor.
Any one with info or even idea would be great.
Thanks
Rekids
Team Eureka hangs out in #team-eureka though they've been busy lately... Wish I knew more but hardware is my weakness.
bhiga said:
Team Eureka hangs out in #team-eureka though they've been busy lately... Wish I knew more but hardware is my weakness.
Click to expand...
Click to collapse
we are here, we are just quiet NAND dump was sent his way.
Thank you and yes understand being busy, I work 40+ them got stuff I do at home with 4 kids and the wife not to mention I do a few things out of town each week.
I did get a full NAND image just got to compare with the read I got and see if there online with each other as to location and type of code in case it is different after it passes through the CPU.
Will keep you posted, as to findings.
1080xt root 12.15.15
Just in case of anyone is following this,
I did get the bootloader downgraded to a TOtable version written on the NAND. Down side is was not able to get the NAND remounted well enough for a boot without some liquid flux I had lost around the house some where so ordered some more. It is definably possible to change all the data in the NAND with a programmer but the NAND has to be removed from the PCB and then remounted. But have to wait for supplies to show up and then a day I can play around with this project again.
The Chromecast I am working with is one with the serial number of 3B and it has updated to the the most recent firmware.
Any how will post when I have it boots again
1080xt root 12.15.15
rekids said:
Just in case of anyone is following this,
I did get the bootloader downgraded to a TOtable version written on the NAND. Down side is was not able to get the NAND remounted well enough for a boot without some liquid flux I had lost around the house some where so ordered some more. It is definably possible to change all the data in the NAND with a programmer but the NAND has to be removed from the PCB and then remounted. But have to wait for supplies to show up and then a day I can play around with this project again.
The Chromecast I am working with is one with the serial number of 3B and it has updated to the the most recent firmware.
Any how will post when I have it boots again
1080xt root 12.15.15
Click to expand...
Click to collapse
Wow, great work [emoji3][emoji106]
Although, this is a method what only few users might use, I'm glad to see someone doing this kind of stuff.
Eagerly waiting to hear if you manage to pull it together and eventually root your device [emoji2]
Sent from my Nexus 4
Can't wait to hear your upcoming updates either. Good work
Sent from my Nexus 5 using Tapatalk
rekids said:
Just in case of anyone is following this,
I did get the bootloader downgraded to a TOtable version written on the NAND. Down side is was not able to get the NAND remounted well enough for a boot without some liquid flux I had lost around the house some where so ordered some more. It is definably possible to change all the data in the NAND with a programmer but the NAND has to be removed from the PCB and then remounted. But have to wait for supplies to show up and then a day I can play around with this project again.
The Chromecast I am working with is one with the serial number of 3B and it has updated to the the most recent firmware.
Any how will post when I have it boots again
1080xt root 12.15.15
Click to expand...
Click to collapse
lots of us are following.
this is great news.
but yes only for advanced users. but once it is perfected a clip could probally be made like the ps3/360 nand clips
Just to be sure every one is aware all thanks goes to those who really deserve it Gtvhackers for the original and only exploit that we have, and every one at Team Eureka, and above all else a very helpful and encouraging person who has helped with the vital info that was needed and willing to spend time helping me out and not knowing a thing about me (just a noob)
Thanks ddggttff3, for the help so much.
1080xt
Could this be used to flash the tsop without desoldering?
http://www.ic2005.com/shop/product.php?productid=137&cat=0&featured=Y
I've been out of the modding scene for years and haven't kept up.
Sent from my Nexus 4 using Tapatalk
Looks like more a way to connect while mounted then a way to program. The NAND requires a particular set instructions to do anything really. The way I understand what needs to happen to program and write are a couple of things,
1 connection to the right pins (obtain with the item you mentioned our to place in a adapter with individual connections for each pin)
2 uninterrupted communication (may have issue with resistors, caps, CPU and any other items on board connected to NAND)
3 instruction set for communication to the NAND to have it do what you want.
I have not come across anything as of yet suggesting in In circuit programming is possible out side of the use of the UART or JTAG. And since as far as I can find the correct set of UART pins are not connected and the JTAG is either disabled or not connected makes in circuit programming not possible as of right now.
A data sheet on the 88DE3005 has not been found by me as of now. Marvell seams to keep that info unavailable to us.
A map out of the armada mini would be great and a pin out of the board connections would help to see if that would be possible in the future.
1080xt 4.4
So got my stuff to remount the NAND with the changed bootloader to the exploitable one and .. no boot. Not sure what exactly went wrong got a sneaky feeling it may have died during the attempt to remount before I got my stuff with a big fat solding iron. Gonna go get another and try again.
It is definitely easier to remount when you use liquid flux and not just trying to hit each leg with solding iron.
Any news? Have we found a hardware method of rooting?