Chromecast bootloader exploit

chromecast-hack

Well that didn’t take long. The team over at GTVHacker have worked their magic on Chromecast. The HDMI dongle announced by Google last week was so popular they had to cancel their 3-free-months of Netflix perk. We think the thing is worth $35 without it, especially if we end up seeing some awesome hacks from the community.

So far this is just getting your foot in the door by rooting the device. In addition to walking through the exploit the wiki instructions give us a lot more pictures of the internals than we saw from the teardown in yesterday’s links post. There’s an unpopulated pad with seventeen connections on the PCB. You can patch into the serial connections this way, running at a 115200 8n1. But you won’t have terminal access out of the box. The exploit uses a vulnerability in the bootloader to flash a hacked system folder which provides root. After wiping the cache it reboots like normal but now you can access a root shell on port 23.

29 thoughts on “Chromecast bootloader exploit

  1. No, it doesn’t run android – It runs a modified google tv build, without dalvik. What do we call android without dalvik? Linux. Reading comprehension, how does it work?

    1. I suppose you’re right about that. I read too much into this statement: “it’s more Android than ChromeOS”. Re-reading my title I did make it sound like the exploit allows you to run Android. I’ll strip that bit out. Thanks.

  2. From TFA: “the value stored in ret is never actually verified to ensure that the call to “VerifyImage” succeeded.”

    Ouch. Someone is going to lose their privs to the free gourmet cafeteria over this.

      1. From a brief look, it doesn’t appear that the price of this device is subsidized by any ongoing subscription. Google profits no matter what you do with the device.

        Now if it were Sony, I’d say this was surely a mistake, and some employees’ heads would roll.

        But Google? I could believe this was intentional. The extra security is stubbed, ready to be enabled at a later date only if necessary; for example, if Broadcom thinks this threatens their proprietary drivers and threatens to pull Google’s license.

        I hope it remains accessible. This is a delightfully hackable device.

  3. The fact that it doesn’t run Android but rather a Java-less Linux distro actually adds value to this gadget. Of course until all stuff by Google can be replaced by a truly open Linux distro I’m not trusting this device enough to let it do its business into my own network.

    1. Do you have a smartphone, game console, tv set, or router on your home network? Have all of them hacked for Open source? What about the printer? I often wonder just what people think will get sniffed out of their network. Also any really nasty code will be found out very quickly since every hackers on the planet will be tearing this apart.

      1. That last sentence is nonsense, binaries and encrypted stuff is pretty secure from peeking what’s inside, and there have been and continue to be tons of nastiness going on without people finding out for decades, or in fact never – so far.

        1. Addendum: Mind you I myself although I’m mistrusting to many things feel pretty trusting towards the chromecast, I think it’s the chrome browser where the danger lurks.
          And maybe if I had a reason to suspect spooks would seek to come within WiFi range of my computer.

          And while I’m on the subject: Remember how google streetview ‘accidentally’ got all that WiFi information as it traveled all over the place? What do you think is the chance that was a service to the NSA? Because if I combine what we learned and then look back at that I can’t but get suspicious. Think about it.

          1. You could look at it as the NSA sub-contracting something they were going to do themselves, but could do more cheaply through a specialist who was going to drive cars round the streets of the world anyway.

            Still pisses on “Don’t be ahem, EVIL!” though. Yeah thanks a lot Google. Has anyone plotted the time it took from the start with a couple of genius geeks having a bright idea, to evil brain-reading psych-manipulating Big-Brother-style EvilCorp? Or perhaps more usefully than time, a dollar amount?

            Are Sergey and whatsisname still in charge up there? Has it been covert or overt as the Evil influence took the thing over? Watching the TV with their high-up financial guy making excuses for fixing the books so Google don’t have to pay any tax in the UK, blaming the tax-men for it, with a completely straight face, inspired Bill Gates levels of face-punching rage.

            I despair for the human race. Why are the few who aren’t completely stupid, always evil instead? There needs to be something better than politics. It attracts the sort of sinister wierdoes you wouldn’t let babysit your kids.

            I’d sooner be a monkey, anyone wanna join my Kickstarter? I need 40 miles of rope, an uninhabited island, and 4 metric fuckton of bananas.

  4. This is cool.
    I find it quite alarming that most computers you buy today come with a locked root/admin account. I wonder, if we soon will have to root a desktop PC or laptop…

    1. You already do, it’s called formatting your Windows partition and installing Linux. No matter how far you delve in to windows you’re never going to have complete control of it

      1. ” you’re never going to have complete control of it”

        That can be said of some Linux distros as well. It really all depends on how much control the project manager wants the consumer to have.

  5. While I’m not one to say don’t post this or that, posts like this post serves to remind how far out of the loop I am when it comes to entertainment tech. Still only have a TV whose only input is a F jack. When I’m only assure to receive OTA only 1 digital TV station, bit hard to justify purchasing a new TV. I probably will only to get a VGA input so I can use a computer & the web. That way I can watch team Hackaday from the recliner if they are ever again finalists in e red bull contest.

    1. I am in a similar position, but I would skip the VGA and go with an HDMI for 2 reasons. One being the HDMI will be easier to find on new tvs, and the second being integrated audio.

    2. I was planing to pick one up for the living room with how screwy my Bluray player has been with Netflix. Hearing it’s hackable I can’t wait to get one now. Would be nice to load it up with video playback software that can take advantage of modern containers (like chapter support in MKV/MKA), even if I had to write the software myself.

      1. It would be interesting to see if this device could run xbmc, it could make a nice little media centre if it can

      2. It’s not much cheaper than those Android-TV sticks. They usually have Rockchip processors, often quad CPUs and lots of RAM. Probably more versatile than this. I dunno if they need messing with to enable root access. But I bet there’s a lot you can do with one.

    3. Wow! I got rid of my RF-only TV, 2 TVs ago. The first was from Freecycle, a 30-something inch Sony CRT behemoth. Takes 3 people to lift it upstairs, but the picture and sound were great. People can’t throw CRTs away fast enough, should be plenty to find in the listings. I saw a CRT monitor left on the street for days with “working, FREE” stuck to it, nobody wanted it.

      My current TV is a 26″ LCD, 1080p. Was cheap, 150 quid, is great, has sockets for everything, VGA, 2xHDMI, SCART, composite, YUV and a couple more. Built in digital, mais naturellement, tho it still takes analogue RF if I start collecting 8-bitters again. Built-in DVD player, for as long as it lasts, and who cares if I need to replace it for practically nothing? Cheap enough to be considered disposable, offset over a year or two.

      Hurrah for VVVLSI, data compression, and economies of scale! Hurrah for Chinese mass-production, in these happy days before it bites us in the arse!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s