Dear XDA Users,
We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).
Requirements
Chromecast Device
Teensy 2 or 2++
Teensy 2 - https://www.pjrc.com/store/teensy.html
Teensy 2++ - https://www.pjrc.com/store/teensypp.html
Teensy Loader - https://www.pjrc.com/teensy/loader.html
1GB+ Flashdrive
The files included in the zip
Instructions
Install the appropriate Teensy Root Package on your device.
If New In Box device, use 12940 otherwise use 16664.
Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
After about 5 minutes, the Chromecast should reboot and your device should now be rooted!
Having Problems?
“I am using a USB hub with a OTG cable, why is it not working?”
This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
“How can I tell if the root is running?”
If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.
Created By
@fail0verflow
@gtvhacker
@Dev_Team_Eureka
Shoutouts
Google Inc. - Thanks for the awesome device, now add fastboot support
XDA-Developers - For being the home of Chromecast Development
Download
Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip
Source:
GitHub: https://github.com/axoltl/HubCap
Brilliant -- working through the steps now!
One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list.
UPDATE: worked like a charm!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around.
Thanks again for all your work, guys!
Awesome, thanks! Downloading now and will update!
Edit: flawless victory! Rooted 2 CC, one new in box and the other on latest firmware. Great work! Can't wait to see the source to understand how the exploit took place.
Amazing! Thanks!
Yea! I have a rooted CCast....
Just a note for Windows users who use win32mage....the flashcast image doesn't show using the browse because it's a BIN not an IMG file...
Just remove the file filter to *.* to see the proper image to burn to the USB Jump Drive.
Congrats to the team!
Gonna get my teensy asap! CC unplugged until then. Thank you so much, team!!
is this persistent and does it block OTA's?
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
Not sure but one of the ones I just rooted was 37*** that was on the latest ota.
I used the 16664 with a 2++
Sent from my 831C using Tapatalk
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
Awesome! ill keep my chromecast off the Internets till i get the board :good:
they have it on adafruit which is where i got my pi and adruino stuff
ddggttff3 said:
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
Click to expand...
Click to collapse
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.
Thanks!
Will this work with a Teensy 3.0?
mazzanet said:
Will this work with a Teensy 3.0?
Click to expand...
Click to collapse
Nope, only the Teensy 2 and Teensy++ 2 are supported (and there are separate images for both).
http://forum.xda-developers.com/showpost.php?p=54885650&postcount=9
Rooted one of my chromecasts. Thanks!
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
Asphyx said:
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
Click to expand...
Click to collapse
This is already resolved (posted above): I had forgotten to hit the button a second time for the flash drive payload.
psouza4 said:
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.
Thanks!
Click to expand...
Click to collapse
I often wish there was something like the Teensy loader to upload code to my own head so I wouldn't forget to do things! LOL!
i have a unopened 39xxxxxx
should i update it to 16664+ b4 rooting
don't know the version it comes with
Related
WARNING: This should be the VERY VERY VERY VERY (Am I clear enough about this?) LAST thing you do to try and fix a chromecast. This can possibly fry a chromecast for good, so know going into this that it may not work!
Because of this, Me, XDA, and all other users are NOT RESPONSIBLE for any damage, problems, or issues that may arise from using this method. By using this tutorial, you agree and understand the above warning.
So, I had a Chromecast that I got stuck in "backupsys" boot mode, where it would try to boot the backupsys partition. Issue is, it would not boot, and you can't force it to boot from jumpdrive while it is in "recovery" or "backupsys" mode.
Well after tearing the thing down and getting UART setup, I started messing around, and found a way to FORCE the device to read from USB, regardless to the bootmode.
How this works is during the boot process, you jump 2 select pins on the PCB by the CPU, which causes the device to have a block read error while reading the system flash. When this happens, the device falls back into USB read mode.
Because this causes a read interrupt, it "MAY" have unknown effects on the longevity of your device, so like I said before, this should be a LAST RESORT OPTION ONLY.
What You Need:
Chromecast with Rootable Bootloader
Paper Clip/Needle to jump some TINY pins
UART hooked up to your computer
Jump Drive with the Root Image & USB OTG Cable
Process:
Step 1: Tear down your device, and have it hooked up to UART on your computer.
Step 2: Have the USB OTG Cable and Jump Drive with the root image plugged into the chromecast. Do not have it plugged into power yet.
Step 3: On the top side of the chromecast (Not the side with the UART Pins), carefully remove the RF shield to reveal the WiFi Chip and CPU.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Step 4: Have putty open and connected to your UART COM port. Also have "reboot recovery" in your clipboard. (Copy that command so you can right-click in putty to send it quick)
Step 5: Now, prepare to jump pin #26 (shown in photo below, marked with red square on right side of CPU) when you plug in the chromecast to power it.
Step 6: Plug in the chromecast power, and watch the UART output. Once the Chromecast LED turns read, use the paper clip to short pin #26 and you should get the following outout:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v155 loaded from 0x00268000
Read failed @ 0x7814c000
ERROR: Failed to read CPU image ret -1
Booting from NAND failed, booting from USB....!
timer_clk_freq = 0x47868c0
USB: Register 10011 NbrPorts 1
USB EHCI 1.00
scanning bus for devices... 2 USB Device(s) found
scanning bus for storage devices... 1 Storage Device(s) found
If you do not see "Booting from NAND failed, booting from USB....!", unplug the chromecast, and try again.
Step 7: The chromecast will now try and boot the Jump Drive image. During this, there will be a root shell hiding under all the output. You need to QUICKLY and repeatedly press Enter until you see "/ # " flash on the screen. Once you see that flash, QUICKLY press right-click so putty pastes your clipboard, and then press enter. If you do this fast enough, the kernel will run "reboot recovery" and restart.
Step 8: The device will now try to boot the normal recovery partition. This is fine, because even if it fails, the bootloader will detect this and reset the device to normal boot mode after a few power cycles. After a few power cycles, the chromecast should eventually show the following over UART:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v168 loaded from 0x0029c000
[SHOWLOGO] stopped
Boot normal GTV image
fts: record v169 commited @ 0x002a0000
Uncompressing Linux... done, booting the kernel.
And congrats, the device is now back to Normal Boot Mode! You can now hold the power button during power on to properly flash the rooted image, and your device should be good to go!
DEVS: If you want to help make this easier, can you make a USB image that just boots the kernel and stops at command line? Would make this process easier.
FAQ:
Q: Why do I need this? I can just hold down the button to boot from a Jump Drive.
A: This is true, but if a Chromecast is in any other boot mode besides normal, then it will be unable to boot from USB. This is just how the bootloader is coded. (I submitted a patch to google regarding this, even though it would never help us out thanks to the updated locked bootloader).
Q: Will this allow be to Downgrade/Root my device?
A: Answer is Probably not, even though this is untested. This is because the bootloader is still loading from the device, so it will still probably check the USB Drives image for a valid signature.
Q: I tried this, but my device still won't boot.
A: Well then there is probably not much else you can do, besides looking for a fix yourself. Remember, its a $35 dollar device so it may just be best to buy a new one.
Reserved
This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.
ddggttff3 said:
Reserved
Click to expand...
Click to collapse
Can you explain why you chose pin 26?
Thanks
zackoch said:
Can you explain why you chose pin 26?
Thanks
Click to expand...
Click to collapse
In all honesty, trial and error with a device I didn't think would ever work again.
EDIT: Also, getting very very lucky.
jamcar said:
This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.
jamcar said:
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
technically this may be possible, but I am not a developer but don't quote me. The fact that we can load a kernel off a jump drive though should mean we have the ability to load and run a system image off of a jump drive.
I just got a second chromecast and am awaiting my USB OTG power cable, I do plan to root this one and work on seeing if my idea is possible.
Aaron Swartz, Rest in Pixels.
How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?
jamcar said:
How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?
Click to expand...
Click to collapse
You should put the RF shields back on after you do this modification, as they prevent interference and issues. During the dissection of my device though, I fully removed the shields (including the sides), so I have no choice but to run that one naked, but it is sitting on the side as I have another rooted chromecast I use for day to day usage.
Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app
rbeavers said:
Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
To be more clear, you should jump both pins at point 26. I am planning on re-doing this thread now that flashcast is out, and can make this a hell of a lot easier.
Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB
Bad Bimr said:
Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB
Click to expand...
Click to collapse
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB
Bad Bimr said:
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB
Click to expand...
Click to collapse
Is your device rootable? if it has taken any official google OTA yet, then the device will be unable to use or boot flashcast as google patched the root exploit.
Next time please try to keep questions to the relevant thread, thanks.
ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?
wptski said:
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?
Click to expand...
Click to collapse
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.
ddggttff3 said:
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.
Click to expand...
Click to collapse
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?
wptski said:
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?
Click to expand...
Click to collapse
No, the device will still be able to update from google if flashcast is ran, flashcast just deletes any already downloaded OTA that has yet to be installed.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What is it?
FlashCast is a USB image that provides a standardized way to mod your Chromecast. Think of it like a recovery which runs off of a USB drive. No more struggling with the limitations of the GTVHacker image, which is hard to modify and can only flash the /system partition. FlashCast is based on shell scripts, so it you can use it to do anything you can do with a root shell. It also comes with a comprehensive suite of helper functions, so many tasks actually become much easier than they would be using a regular shell.
How do I use it?
If you prefer to follow a video tutorial, @ddggttff3 has made one here. Otherwise, read on for written instructions.
Preparation
Before you begin, you'll need some materials:
A Chromecast with a vulnerable bootloader. (For the bootloader to be vulnerable, the Chromecast must have never been connected to the internet and have a rootable serial number.)
The latest version of FlashCast (the download link is at the bottom of this post).
A USB drive (minimum size 256MB) which you are willing to have erased.
A powered Micro-USB OTG cable such as this one. (Alternatively, an unpowered USB hub and unpowered OTG cable can be used as shown here. I have not tested this method and cannot help you if your USB drive is not detected.)
Installation
Once you've gathered everything required, you can install FlashCast to your USB drive. To do so, you need to write the .bin file contained in the FlashCast .zip file you've downloaded to your drive. Simply using a file explorer to drag the .bin file to your USB drive is not correct and will not work. The specifics of doing a low-level write differ depending on OS, but, in general, Linux and OS X users should use dd and Windows users should use Win32DiskImager. This operation will erase your flash drive.
After you've written the .bin file to your USB drive, your computer will no longer recognize a filesystem on it. This is normal. In order for FlashCast to set up the drive's filesystem, you need to boot your Chromecast from the drive. To do this, perform the following steps:
Connect the male end of your Micro-USB OTG cable to your Chromecast.
Plug your USB drive into the USB-A female connector of the OTG cable.
Simultaneously hold the button on your Chromecast and connect the Micro-USB power connector to the female Micro-USB port of the OTG cable.
The power must be connected last. If it is not, your Chromecast may fail to detect the USB drive and boot up normally. If this happens, simply repeat the process, making sure to perform the steps in the correct order.
If FlashCast was copied correctly, you will see a red light on your Chromecast for approximately 9 seconds. It will then turn white and your TV will display a screen containing the FlashCast logo (shown at the top of this post) and various instructions. Once you see this screen, you may release the button. The screen will appear for another 9 seconds or so, after which your Chromecast will reboot on its own to the stock image. After it has rebooted (you may disconnect the power when it starts to boot into the stock image if you're worried about it updating), FlashCast is installed on your USB drive and ready for use. Your device is NOT rooted at this point and can still be updated by Google. To root, you need to flash a mod such as Team Eureka's Eureka-ROM. When you plug the drive into your computer, it should appear as an empty drive which you can copy files to.
Usage
FlashCast-compatible mods are distributed as .zip files. To flash a mod, simply copy it to the USB drive with the name eureka_image.zip. Do NOT use dd as you did in the previous section. If you do, you will have to repeat the whole process. Instead, just copy it onto the drive's filesystem as you would any other file. FlashCast is also capable of flashing a GTVHacker-style raw system image; if there are no native FlashCast mods present and the system image is in a file called Chromecast-Rooted-System-GTVHacker-cj_000-July27-635PM.bin, it will be flashed. This method of flashing is very inflexible and is not recommended.
How do I develop for it?
If you are interested in creating mods for FlashCast, please see the developer thread.
Who made it?
FlashCast is based on a generic Buildroot Linux image. Its mod framework was written entirely by me, but I couldn't have done it without the help of various individuals. Thanks, @cj_000, for helping me and putting up with my stupid questions in IRC. And thank you, @tvall, for releasing your update-free images so promptly up until now. Without those, FlashCast would have a much smaller potential user base.
Where do I get it?
Downloads and source code are available at FlashCast's GitHub repository. The latest version is currently v1.3.
Cool! First
Sent from my SCH-I605 using Tapatalk 4
Oh yeah, finally we can update kernels! Thanks for this, got some work to do now.
tchebb, awesome work. Your flasher seems so much more flexible than what we put out (but hell, we did it in 3 days), and it's never a problem to help out. In fact, we LOVE it when someone actually picks up on what we did and makes it so much better.
Can't wait to give it a try, once I get some free time!
CJ
vulnerable bootloader ?
How do I know if I have A Chromecast with a vulnerable bootloader ?
Looks super cool man, I am about to check it out and update my chromecasts now! Great work!!
just flashed over, working great. thanks so much!
stewwmann said:
How do I know if I have A Chromecast with a vulnerable bootloader ?
Click to expand...
Click to collapse
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
tchebb said:
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
Click to expand...
Click to collapse
I just got 2 units this week from Amazon and they have not been updated from the factory and thus, vulnerable.
tchebb said:
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
Click to expand...
Click to collapse
damm, i have this 13300 version. and this will never happen or is there a way?
Updated 3 Chromecasts, thanks for the excellent work!
raydekok said:
damm, i have this 13300 version. and this will never happen or is there a way?
Click to expand...
Click to collapse
Currently there are no other known exploits.
ddggttff3 said:
Currently there are no other known exploits.
Click to expand...
Click to collapse
that is to bad. i'm hoping that it will not take to long.
raydekok said:
that is to bad. i'm hoping that it will not take to long.
Click to expand...
Click to collapse
@cammykool has been hoping that since Google forced 12840 upon him. He has given up hope.
I just finished using FlashCast on 2 ChromeCasts and everything went smooth and great! I could really see FlashCast evolving into a full blown recovery for ChromeCast!
I am thoroughly impressed with FlashCast, amazing work man, well done!
Hey guys, what's the purpose of this? Does it mean we can then use 3rd party developed apps? Apps that allow us to play local videos, etc.?
Thank You, Thank You very much....
Thanks for all the responses, I found a local Best Buy that has one, and I have put it on in store pickup for tomorrow. So if I do end up with one that has original fw, and am successful in installing flashcast, I can use the device as normal after that? no worries of it being locked back down? if we are not sure ,I just will continue using my updated one until then
stewwmann said:
Thanks for all the responses, I found a local Best Buy that has one, and I have put it on in store pickup for tomorrow. So if I do end up with one that has original fw, and am successful in installing flashcast, I can use the device as normal after that? no worries of it being locked back down? if we are not sure ,I just will continue using my updated one until then
Click to expand...
Click to collapse
If it comes with the original version, and you install an image that doesn't update, you can use it as normal and not worry about it being locked down.
cool
:good: *fingers crossed*
So if my Chromecast had been connected to my TV since release date I'm screwed huh
Sent from my Nexus 7 using Tapatalk 2
Hi,
As I believe I need to reflash my chromecast using the original firmware, does anyone know where I can get it from?
(If your interested in why, please see below.)
I seem to have a bricked Chromecast that I'm trying to revive (black screen after the booting chrome logo),
I have soldered in the serial port and it seems to boot the normal image ok (see bottom for dump), I have tried both the normal and the recovery image, it performs the recovery okay, however the normal boot after recovery yields the same results.
Therefore I would consider the next step to reflash it, however it refuses to flash using the GTV released firmware, because the existing firmware is to new to allow for the exploit, I therefore believe that i need a current firmware which is signed by google to attempt recovery of the chromecast, I spoke to google about it and I was welcome to sent it back and get a replacement, however as I'm in Europe, it would be cheaper to just buy a new one, than to pay the postage.
P.S. I posted this in a non-QA forum, under the assumption that links would be of general interest to chromecast developer community, and therefore would be easier to find here, if moderators disagree, I apologize for the inconvenience of moving this post.
Normal boot:
s_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=192 vcore=11 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Aug 5 2013 10:54:27] ver:f07e92b-dirty
OTP s0x000000FF lkg curr=192 mAnd_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v94 loaded from 0x00174000
[SHOWLOGO] stopped
Boot normal GTV image
fts: record v95 commited @ 0x00178000
Uncompressing Linux... done, booting the kernel.
Click to expand...
Click to collapse
bse10093 said:
Hi,
As I believe I need to reflash my chromecast using the original firmware, does anyone know where I can get it from?
(If your interested in why, please see below.)
I seem to have a bricked Chromecast that I'm trying to revive (black screen after the booting chrome logo),
I have soldered in the serial port and it seems to boot the normal image ok (see bottom for dump), I have tried both the normal and the recovery image, it performs the recovery okay, however the normal boot after recovery yields the same results.
Therefore I would consider the next step to reflash it, however it refuses to flash using the GTV released firmware, because the existing firmware is to new to allow for the exploit, I therefore believe that i need a current firmware which is signed by google to attempt recovery of the chromecast, I spoke to google about it and I was welcome to sent it back and get a replacement, however as I'm in Europe, it would be cheaper to just buy a new one, than to pay the postage.
P.S. I posted this in a non-QA forum, under the assumption that links would be of general interest to chromecast developer community, and therefore would be easier to find here, if moderators disagree, I apologize for the inconvenience of moving this post.
Normal boot:
Click to expand...
Click to collapse
If you had the exploitable bootloader, I would refer you to my thread I made awhile back about debricking, but if yours is updated, I think all you can really do is send it back to google, or buy a new one. To my knowledge, there has been no leak of an official signed USB image.
What you can try though is booting the chromecast into recovery (no idea how you can do that if its "bricked"), and have a jump drive with one of the official OTA Zips on it, named ota.zip. The chromecast recovery, if unable to find a update at /data/, will check an external jump drive.
Here is the link for the Official 13300 update. http://dl.google.com/googletv-eurek....1f63ef63d1f43c6222116806e5bea38a47e9f124.zip
tried recovery, but no luck
Thanks for your suggestions, I've tried to see if I can get it to load the software either by corrupting the boot (touching the memmory without the shield after a few tries seems to be enought to cause corruption and thereby make it try to boot from usb, however seems to fail locating the image it may however just be a matter of me having to put it in there in a certain way.
The device seems to have bricked in a weird way, that is the recovery process seems to run without error and so does the normal boot process until the very end when it is supposed to switch from the spinning chrome logo into the chromecast desktop, it just switches to the black screen.
I was able to start the recovery, but I assume that it must have an existing ota.zip in /data/, as it doesn't seem to check the jump drive.
ddggttff3 said:
If you had the exploitable bootloader, I would refer you to my thread I made awhile back about debricking, but if yours is updated, I think all you can really do is send it back to google, or buy a new one. To my knowledge, there has been no leak of an official update.
What you can try though is booting the chromecast into recovery (no idea how you can do that if its "bricked"), and have a jump drive with one of the official OTA Zips on it, named ota.zip. The chromecast recovery, if unable to find a update at /data/, will check an external jump drive.
Click to expand...
Click to collapse
Have you tried doing a factory reset on the chromecast? by button, or the setup application?
bse10093 said:
Thanks for your suggestions, I've tried to see if I can get it to load the software either by corrupting the boot (touching the memmory without the shield after a few tries seems to be enought to cause corruption and thereby make it try to boot from usb, however seems to fail locating the image it may however just be a matter of me having to put it in there in a certain way.
The device seems to have bricked in a weird way, that is the recovery process seems to run without error and so does the normal boot process until the very end when it is supposed to switch from the spinning chrome logo into the chromecast desktop, it just switches to the black screen.
I was able to start the recovery, but I assume that it must have an existing ota.zip in /data/, as it doesn't seem to check the jump drive.
Click to expand...
Click to collapse
I believe it will try to install a file named ota.zip on the root of a flash drive if it doesnt find an ota on internal storage.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
factory default
ddggttff3 said:
Have you tried doing a factory reset on the chromecast? by button, or the setup application?
Click to expand...
Click to collapse
Yes I've tried it and it runs without errors, reboots however when back in normal boot mode it still shows the black screen instead of chromecast desktop.
P.S. maybe I should mention that the chromecast ad-hoc network also comes up, unfortunately though that doesn't seem to help.
doesn't seem to activate usb key
tvall said:
I believe it will try to install a file named ota.zip on the root of a flash drive if it doesnt find an ota on internal storage.
Click to expand...
Click to collapse
I tried renaming, however when starting recovery with the usb key containing the official 13300 renamed as ota.zip, it never has any disk activity on the usb key, however I can verify that it can read the key from the bootloader as it detect the key, but fails the signing step
Yah, so as the title says, ima show you how to root ur lg l90! The only reason im doin this is because @gdjindal's guide didn't work fer me. That runs v10e or higher WITHOUT DOWNGRADING. I'm not really sure if this works on previous firmwares, but let me know if it does :good:.
Firstly, the original tutorial is here: 1x1a.com/how-to-root-a-lg-optimus-l90-d415-10e.html
Code:
WARNING
Your warranty is now void.
I am not responsible for bricked devices, dead SD cards,
thermonuclear war, or you getting fired because the alarm app
failed. Please view the original guide BEFORE looking at this
abridged version! YOU are choosing to make these
modifications, and if you point the finger at me
for messing up your device, I will laugh at you.
Download the files attached.
First things first: make sure you have USB debugging enabled (can be found in dev options in settings app) Install the drivers you downloaded.
Then, you should connect your phone to your PC/laptop (must be able to run batch files) in MTP (or your PTP equivalent) If prompted for USB debugging permissions on your phone, hit allow.
Now for the actual rooting.
Open the root script zip file, and extract it wherever you like. Extract the Drivers in this zip file and run the exe within. Then, open the folder and select the LG Root Script Batch file. Now just sit back and relax.
If you get a message saying that the serial port could NOT be found, then disconnect your phone and turn it off. Then WITHOUT TURNING IT ON, hold up the volume button and push in the USB cord. This should fix the problem. Once the process completes restart your phone manually.
Worked for me on a LG L90 D514 v10e . Thank you, as no other method would work.
I can confirm that this works as well, for D41510e firmware. Huge thanks, even though I jumped through all kinds of circles to get this device rooted lol(mainly due to the fact that none of my PC's run windows) Needless to say, I couldn't get the batch file to work via cmd prompt and WINE, so I had to do a fresh windows install. I'm going to try to write a shell script for any linux users out there that might run into the same problems as I did. If I have any success, I'll upload for the OP to include in original post. Thanks again!
Confirmed working on LG L90 D145 TMOBILE running official lollipop, with a tiny amount of editing to the batch file.
Nice !!!
CaptivateKing said:
I can confirm that this works as well, for D41510e firmware. Huge thanks, even though I jumped through all kinds of circles to get this device rooted lol(mainly due to the fact that none of my PC's run windows) Needless to say, I couldn't get the batch file to work via cmd prompt and WINE, so I had to do a fresh windows install. I'm going to try to write a shell script for any linux users out there that might run into the same problems as I did. If I have any success, I'll upload for the OP to include in original post. Thanks again!
Click to expand...
Click to collapse
Your very welcome on the guide. Never really superused linux before, got it on an old computer to make it run faster after xp got discontinued. Hope you can write the shell script and send me the modified files. The best of luck! :highfive:
silentpoke said:
Confirmed working on LG L90 D145 TMOBILE running official lollipop, with a tiny amount of editing to the batch file.
Nice !!!
Click to expand...
Click to collapse
Please sent me the edited batch file! Thanks in advance! :fingers-crossed:
Confirmed for D415 Lollipop
This method also worked to root the Lollipop update. Thank you. (I hate bloatware.) Anyone who is looking for a how and is already rooted with a custom recovery, just use Rashr or Flashify to flash the laf.img file again and use LG Flash Tool (2014 at least) to flash the D41520b_00.kdz to update to Lollipop, then use this method to root.
View attachment 3258647 View attachment 3258648
can someone help
can someone help me i did the script and im on lollipop i can acess supersu but i cant verify the root via root checker pro or use SCR pro. and my phone reboots to the tmobile logo
G33KSQUAD said:
Please sent me the edited batch file! Thanks in advance! :fingers-crossed:
Click to expand...
Click to collapse
1 thing edited because it couldn't find my phone
I had to manually enter in what com port my phone was on, I used lg flash tools to determine, I edited the com ports while script was running and hit save, and boom phone rooted in like 30 sec.
I Don't have Developer Options !
Errrrr, uhh ... sorry. Ahem ... I meant to say I don't have 'Developer Options or a Debugging defeat switch in my D415's settings.
Thanking you in advance,
New Guy
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
CaseyRockStar said:
I Don't have Developer Options !
Errrrr, uhh ... sorry. Ahem ... I meant to say I don't have 'Developer Options or a Debugging defeat switch in my D415's settings.
Thanking you in advance,
New Guy
Click to expand...
Click to collapse
Just go to about phone, software info, then repeatedly click on build # 7 times. It should say, congrats, you're a dev now!. Then go back to the main settings page and open the dev options. Icon should be like {} symbols. Then enable usb debugging, and click yes if it asks for authorisation when run the batch!
Keep an eye on Windows driver updates
Thanks for this! Just a note to keep an eye on the Windows driver notification in the taskbar. A lot of the hangups were that you had to stop checking Windows Updates for Drivers. Once I clicked that, the downloaded drivers were installed quickly and the script moved along.
Works!
At first I started to get scared because i had to retry the manual download and it says 0% and the computer is trying to connect and for the longest time i thought i did something wrong but it seems to be working!
I keep getting stuck at the Download screen. It doesn't ever seem to detect a com port. I guess I'll keep trying to see if something magically starts working lol
cliemonster said:
I keep getting stuck at the Download screen. It doesn't ever seem to detect a com port. I guess I'll keep trying to see if something magically starts working lol
Click to expand...
Click to collapse
Does it not detect it when you disconnect the USB, put phone in DL mode, and reconnect to USB? Should automatically detect the com port when you do that
Sent from my LG-D415 using XDA Free mobile app
cliemonster said:
I keep getting stuck at the Download screen. It doesn't ever seem to detect a com port. I guess I'll keep trying to see if something magically starts working lol
Click to expand...
Click to collapse
You may have to manually select your com port. Typically it's COM 41, sometimes 23, though.
xanscorp said:
You may have to manually select your com port. Typically it's COM 41, sometimes 23, though.
Click to expand...
Click to collapse
Thanks for the advice. I'll give that a try!
Nope... it just does not want to recognize it. As soon as I put it into download mode my computer just refuses to see it. I tried putting those com ports in manually and nothing. Maybe its a cable problem. I'll see if anything changes with a different cable.
Figured it out... it was the drivers. I thought I had the right set, but when I installed the drivers again from this post, all worked like a charm. I am now happily rooted, and thanks for all the good advice.
Successfully rooted today. It didn't detect the port automatically for me either, but following the instructions to hold volume up during boot got it there. I posted screen shots of the script and my phone. I thought the script failed because you can see where it says Special command ##, it was stuck there for several minutes and my phone showed no progress but it showed rooted in red letters. This might have been because I ran this script at a different time thinking it failed (originally from this guide http://forum.xda-developers.com/lg-g3/general/guide-root-lg-firmwares-kitkat-lollipop-t3056951), but I forgot to run the supersu app once the phone rebooted.
Quick question. I ran it and it was fine up until it looked for a COM port. I manually put it in download mode, and it told me it was missing MSVCR100.dll
I downloaded it, I used one in Sys32, and I get an error when Send_Command.exe gets executed. Any help would be appreciated. This is a clean install of Win7 and I only used the attached drivers.
This work on lg g4?
How to Bootloader Unlock (Part 1 of 2):
1. You will need a USB A to USB A cable (Example here)
2. You will need fastboot drivers on your PC
3. Unplug your clock
4. Plug the USB A to A cable into your computer and clock
5. Hold the volume + button and plug in the power cord
6. Keep holding volume + for about 20-30 seconds (It is slow to boot to fastboot)
7. On your computer in a terminal run, fastboot flashing unlock
Part 1 of unlocking is now done
AVB/DM-Verity Unlock (Part 2 of 2)
Unlocking the bootloader really does not give a lot to us because all the partitions are still being verified and the device will not boot if they don't match. Normally doing this on an Android Things device is not possible due to their Private key unlock system. But due to a leak, the private key for the Lenovo Smart Clock is available. Word of warning doing this causes the stock android things not to boot only the factory firmware located on Slot A will boot. Consistently if you don't AVB unlock the factory firmware on Slot A doesn't boot If you have already set up your device once the factory firmware is deleted and currently there is not a way to get it back (Hopefully will change soon).
If you are coming from part 1 you can start right away, if not you need to reboot to fastboot again.
1. Extract the downloaded AVB Unlock zip
2. Run this command in terminal
Code:
at_auth_unlock.exe cube_unlock_credentials_v2.zip
3. Wait till it finishes
4. Keep in mind the stock system does not boot properly with AVB off (It is weird some UI elements work but the boot animation never goes away)
5. To relock AVB in the future run the following command:
Code:
fastboot oem at-lock-vboot!
Downloads:
Stock Shipping fastboot firmware:
Here
AVB Unlock tool:
Here
Factory partition changer (Locale changer):
Here
Google released kernel source:
https://github.com/deadman96385/android_kernel_lenovo_mt8167s
Dump of stock partitions for easy viewing:
https://github.com/deadman96385/things_mt8167s_som_dump
Credit to @deletescape for the leak of the AVB Unlock Key, Stock firmware, region changer
Screenshots of the stock android things on Slot A if you don't setup the device :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
TWRP (Coming Soon)
Excited to see what you manage to do with this!
This is great! I have one of these and it felt way too restrictive, looking forward to seeing what comes out of this.
You can also unlock the boot loader simply with what's below... device does boot with this btw
fastboot flashing unlock
Although I've been messing with the device quite a bit. Plug in a usb keyboard, and you can get a web browser to recognize it and go to websites and such using the touch screen as a cursor, but you can't download APK files and install them and such. I've NEVER had the device recognized by ADB, so I can't pass commands from there either.
KaptinBoxxi said:
You can also unlock the boot loader simply with what's below... device does boot with this btw
fastboot flashing unlock
Although I've been messing with the device quite a bit. Plug in a usb keyboard, and you can get a web browser to recognize it and go to websites and such using the touch screen as a cursor, but you can't download APK files and install them and such. I've NEVER had the device recognized by ADB, so I can't pass commands from there either.
Click to expand...
Click to collapse
Just doing step one does not actually get you anything because if you flash something that isn't stock on the verified partitions it will not boot until you flash back the stock one. I have gotten adb to show up but not properly so it is offline. Still hacking away at it trying to get it to go so i can more easily debug TWRP and make edits to the system.
deadman96385 said:
Just doing step one does not actually get you anything because if you flash something that isn't stock on the verified partitions it will not boot until you flash back the stock one. I have gotten adb to show up but not properly so it is offline. Still hacking away at it trying to get it to go so i can more easily debug TWRP and make edits to the system.
Click to expand...
Click to collapse
Ahhhhh got it. I couldn't find anything when I was messing with it like you've found with those commands. I'm kinda new to all this myself at something with nearly zero support, although I have a ton of experience with phones. Had to find my own exploit with my HTC One M7 because the version of android on the phone was the final supported update when I got it, and everyone said "nothing is possible with this android version" as far as rooting... so I figured out my own way lol
I'll continue trying myself though for sure
I also own one of these clocks, so if anyone has anything that I could test out, please share!
I think I'm bit late to party. Anyone who has a backup for those lenovo products, maybe it's a good idea to torrent them.
Honami754 said:
I think I'm bit late to party. Anyone who has a backup for those lenovo products, maybe it's a good idea to torrent them.
Click to expand...
Click to collapse
I don't have the time to test this stuff out for at least a few weeks, but if when I get to it, I'll try to upload my Backups somewhere before I tinker with the system. I'll update this comment when I do.
[/COLOR]
CiriousJoker said:
I don't have the time to test this stuff out for at least a few weeks, but if when I get to it, I'll try to upload my Backups somewhere before I tinker with the system. I'll update this comment when I do.
Click to expand...
Click to collapse
That's not really what I mean... I was referring to some interesting documents from lenovo. Have a few of those hardware but unfortunately didn't grab those files. Anyone also interested in these can PM me maybe we can do something about it.
when will twrp be avable
Interesting as there has a been a few of these turn up to auction of late .
I have gone with the 10' for main room and 8' for bedroom.. love them..
Got the oldies the little 7'
Great for streaming too..
The one I wish it did was announce the time by voice when the internet was down and we said "Hey Google". I am blind without my glasses and often when I am in bed, the internet is down in my area for maintenance period. The clock becomes useless when the internet goes down.
How are people getting the web browser to appear? I'm able to unlock the bootloader but can not boot with the AVB unlocked (well...technically it boots but still shows the spinning circle even though it will let you go to settings). I tried flashing the stock fastboot img and booting with avb unlocked and still get spinning circle. Not trying to get too fancy with this...just want to be able to point to a status page that I can leave it on.
Does anyone try to build a new firmware image and install this instead of stock?
Maybe compiling Android Things from source is possible, but looks like Google has stopped the development. The Lenovo Smart Frame seems to have the same MT8167S and runs on Android 10. Maybe it's possible to compile a LineageOS version?
lenovo.com/us/en/coming-soon/Lenovo-CD-3L501/p/ZZISZSDCD04
Another option might be fuchsia that contains a mt8167s board ref.
fuchsia.googlesource.com/fuchsia/+/master/boards/mt8167s_ref.gni
Googles Coral announced a Dev Board Mini based on MT8167s, maybe they port the Debian-based Mendel Linux to it.
coral.ai/products/dev-board-mini
hugo987 said:
Does anyone try to build a new firmware image and install this instead of stock?
Maybe compiling Android Things from source is possible, but looks like Google has stopped the development. The Lenovo Smart Frame seems to have the same MT8167S and runs on Android 10. Maybe it's possible to compile a LineageOS version?
lenovo.com/us/en/coming-soon/Lenovo-CD-3L501/p/ZZISZSDCD04
Another option might be fuchsia that contains a mt8167s board ref.
fuchsia.googlesource.com/fuchsia/+/master/boards/mt8167s_ref.gni
Googles Coral announced a Dev Board Mini based on MT8167s, maybe they port the Debian-based Mendel Linux to it.
coral.ai/products/dev-board-mini
Click to expand...
Click to collapse
I suppose the smart frame is running android things as well. Compiling android things does make much sense except to prove the drivers are sort of working, this is not designed to let users have fun (ie installing apps).
Google *really* loves mt8167s for some reason. I'd say there's a good chance of we having full android on it but everyone's busy.
They are throwing these things at our head now. 35/40 USD during black fridays.
I don't think you can order the components for that price
Anybody still working on it ? Lenovo claims it's still working on the sound bug - hxxps :// forums.lenovo.com/t5/Lenovo-Smart-Display-Lenovo-Smart-Clock-with-Google-Assistant/Smart-clock-alarm-volume-too-loud-at-first/m-p/5040962?page=4 (latest reply 2020-13-11 from Lenovo) and they did some unanounced pretty good updates in september 2020 - hxxps :// 9to5google.com/2020/09/21/lenovo-smart-clock-night-light/
They also claim the source is on their website hxxps :// smartsupport.lenovo.com/us/en/products/smart/smart-home/smart-clock/za4r/downloads/ds539701
So is this dead ?
deadman96385 said:
How to Bootloader Unlock (Part 1 of 2):
1. You will need a USB A to USB A cable (Example here)
2. You will need fastboot drivers on your PC
3. Unplug your clock
4. Plug the USB A to A cable into your computer and clock
5. Hold the volume + button and plug in the power cord
6. Keep holding volume + for about 20-30 seconds (It is slow to boot to fastboot)
7. On your computer in a terminal run, fastboot flashing unlock
Part 1 of unlocking is now done
AVB/DM-Verity Unlock (Part 2 of 2)
Unlocking the bootloader really does not give a lot to us because all the partitions are still being verified and the device will not boot if they don't match. Normally doing this on an Android Things device is not possible due to their Private key unlock system. But due to a leak, the private key for the Lenovo Smart Clock is available. Word of warning doing this causes the stock android things not to boot only the factory firmware located on Slot A will boot. Consistently if you don't AVB unlock the factory firmware on Slot A doesn't boot If you have already set up your device once the factory firmware is deleted and currently there is not a way to get it back (Hopefully will change soon).
If you are coming from part 1 you can start right away, if not you need to reboot to fastboot again.
1. Extract the downloaded AVB Unlock zip
2. Run this command in terminal
Code:
at_auth_unlock.exe cube_unlock_credentials_v2.zip
3. Wait till it finishes
4. Keep in mind the stock system does not boot properly with AVB off (It is weird some UI elements work but the boot animation never goes away)
5. To relock AVB in the future run the following command:
Code:
fastboot oem at-lock-vboot!
Locale changer instructions:
Coming soon (Need to figure it out)
Downloads:
Stock Shipping fastboot firmware:
Here
AVB Unlock tool:
Here
Factory partition changer (Locale changer):
Here
Google released kernel source:
https://github.com/deadman96385/android_kernel_lenovo_mt8167s
Dump of stock partitions for easy viewing:
https://github.com/deadman96385/things_mt8167s_som_dump
Credit to @deletescape for the leak of the AVB Unlock Key, Stock firmware, region changer
Click to expand...
Click to collapse
how about smart display ,the same way?
jasonzhang1987 said:
how about smart display ,the same way?
Click to expand...
Click to collapse
We do not have the AVB unlock files for the smart displays sadly.