Chromecast bootloader exploit


Well that didn’t take long. The team over at GTVHacker have worked their magic on Chromecast. The HDMI dongle announced by Google last week was so popular they had to cancel their 3-free-months of Netflix perk. We think the thing is worth $35 without it, especially if we end up seeing some awesome hacks from the community.

So far this is just getting your foot in the door by rooting the device. In addition to walking through the exploit the wiki instructions give us a lot more pictures of the internals than we saw from the teardown in yesterday’s links post. There’s an unpopulated pad with seventeen connections on the PCB. You can patch into the serial connections this way, running at a 115200 8n1. But you won’t have terminal access out of the box. The exploit uses a vulnerability in the bootloader to flash a hacked system folder which provides root. After wiping the cache it reboots like normal but now you can access a root shell on port 23.


  1. zigzagjoe says:

    No, it doesn’t run android – It runs a modified google tv build, without dalvik. What do we call android without dalvik? Linux. Reading comprehension, how does it work?

  2. Petr says:

    from the google conference, where chomecast was introduced, they said, that the device runs stripped chome OS

  3. localroger says:

    From TFA: “the value stored in ret is never actually verified to ensure that the call to “VerifyImage” succeeded.”

    Ouch. Someone is going to lose their privs to the free gourmet cafeteria over this.

  4. qwerty says:

    The fact that it doesn’t run Android but rather a Java-less Linux distro actually adds value to this gadget. Of course until all stuff by Google can be replaced by a truly open Linux distro I’m not trusting this device enough to let it do its business into my own network.

    • lwatcdr says:

      Do you have a smartphone, game console, tv set, or router on your home network? Have all of them hacked for Open source? What about the printer? I often wonder just what people think will get sniffed out of their network. Also any really nasty code will be found out very quickly since every hackers on the planet will be tearing this apart.

      • Whatnot says:

        That last sentence is nonsense, binaries and encrypted stuff is pretty secure from peeking what’s inside, and there have been and continue to be tons of nastiness going on without people finding out for decades, or in fact never – so far.

        • Whatnot says:

          Addendum: Mind you I myself although I’m mistrusting to many things feel pretty trusting towards the chromecast, I think it’s the chrome browser where the danger lurks.
          And maybe if I had a reason to suspect spooks would seek to come within WiFi range of my computer.

          And while I’m on the subject: Remember how google streetview ‘accidentally’ got all that WiFi information as it traveled all over the place? What do you think is the chance that was a service to the NSA? Because if I combine what we learned and then look back at that I can’t but get suspicious. Think about it.

          • Greenaum says:

            You could look at it as the NSA sub-contracting something they were going to do themselves, but could do more cheaply through a specialist who was going to drive cars round the streets of the world anyway.

            Still pisses on “Don’t be ahem, EVIL!” though. Yeah thanks a lot Google. Has anyone plotted the time it took from the start with a couple of genius geeks having a bright idea, to evil brain-reading psych-manipulating Big-Brother-style EvilCorp? Or perhaps more usefully than time, a dollar amount?

            Are Sergey and whatsisname still in charge up there? Has it been covert or overt as the Evil influence took the thing over? Watching the TV with their high-up financial guy making excuses for fixing the books so Google don’t have to pay any tax in the UK, blaming the tax-men for it, with a completely straight face, inspired Bill Gates levels of face-punching rage.

            I despair for the human race. Why are the few who aren’t completely stupid, always evil instead? There needs to be something better than politics. It attracts the sort of sinister wierdoes you wouldn’t let babysit your kids.

            I’d sooner be a monkey, anyone wanna join my Kickstarter? I need 40 miles of rope, an uninhabited island, and 4 metric fuckton of bananas.

  5. pockpock says:

    This is cool.
    I find it quite alarming that most computers you buy today come with a locked root/admin account. I wonder, if we soon will have to root a desktop PC or laptop…

  6. static says:

    While I’m not one to say don’t post this or that, posts like this post serves to remind how far out of the loop I am when it comes to entertainment tech. Still only have a TV whose only input is a F jack. When I’m only assure to receive OTA only 1 digital TV station, bit hard to justify purchasing a new TV. I probably will only to get a VGA input so I can use a computer & the web. That way I can watch team Hackaday from the recliner if they are ever again finalists in e red bull contest.

    • Cobbweb says:

      I am in a similar position, but I would skip the VGA and go with an HDMI for 2 reasons. One being the HDMI will be easier to find on new tvs, and the second being integrated audio.

    • defaultex says:

      I was planing to pick one up for the living room with how screwy my Bluray player has been with Netflix. Hearing it’s hackable I can’t wait to get one now. Would be nice to load it up with video playback software that can take advantage of modern containers (like chapter support in MKV/MKA), even if I had to write the software myself.

    • Greenaum says:

      Wow! I got rid of my RF-only TV, 2 TVs ago. The first was from Freecycle, a 30-something inch Sony CRT behemoth. Takes 3 people to lift it upstairs, but the picture and sound were great. People can’t throw CRTs away fast enough, should be plenty to find in the listings. I saw a CRT monitor left on the street for days with “working, FREE” stuck to it, nobody wanted it.

      My current TV is a 26″ LCD, 1080p. Was cheap, 150 quid, is great, has sockets for everything, VGA, 2xHDMI, SCART, composite, YUV and a couple more. Built in digital, mais naturellement, tho it still takes analogue RF if I start collecting 8-bitters again. Built-in DVD player, for as long as it lasts, and who cares if I need to replace it for practically nothing? Cheap enough to be considered disposable, offset over a year or two.

      Hurrah for VVVLSI, data compression, and economies of scale! Hurrah for Chinese mass-production, in these happy days before it bites us in the arse!

  7. acidrain says:

    Can’t wait for some SMB/CIFS access and a non-streaming media player.

  8. Bacon Zombie says:

    What is the cheapest / best way to get on of these devices shipped to Ireland?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,556 other followers