Chromecast Is Root

Image from [psouza4] on the xda-developers forum

Chromecast is as close as you’re going to get to a perfect device – plug it in the back of your TV, and instantly you have Netflix, Hulu, Pandora, and a web browser on the largest display in your house. It’s a much simpler device than a Raspi running XBMC, and we’ve already seen a few Chromecast hacks that stream videos from a phone and rickroll everyone around you.

Now the Chromecast has been rooted, allowing anyone to change the DNS settings (Netflix and Hulu users that want to watch content not available in their country rejoice), and loading custom apps for the Chromecast.

The process of rooting the Chromecast should be fairly simple for the regular readers of Hackaday. It requires a Teensy 2 or 2++ dev board, a USB OTG cable, and a USB flash drive. Plug the Teensy into the Chromecast and wait a minute. Remove the Teensy, plug in the USB flash drive, and wait several more minutes. Success is you, and your Chromecast is now rooted.

Member of Team-Eureka [riptidewave93] has put up a demo video of rooting a new in box Chromecast in just a few minutes. You can check that out below.

43 thoughts on “Chromecast Is Root

      1. Yeah i fell for that before, when the thing was not crashing or allegedly stealing passwords it was just giving me all sorts of trouble
        Got a chromecast for $25 shipped and never looked back

  1. This would have been cooler if found earlier. As of now you can just do a screen mirror and cast the screen of the phone itself with the latest versions of Android (as well as an enabler app if your phone isn’t “officially” supported like the Samsung Galaxy S3, etc). Only thing that kinda bites is that games are a bit too laggy to play well.

    1. $3.99 from newegg….so expensive!

      make sure you get a powered one – I have an unpowered otg cable and its near-worthless for its usual purpose (ie. connecting to usb mass storage that requires more power than a cellphone puts out it’s port)

    1. Sure beats buying a dumb^H^H^H^Hsmart TV – at least when this is obsolete you can just get the newer one for less than the price of an XBox One, PS4, and Wii U combined! Or if you got a $1000+ TV just for this feature, you can just get a sub-$50 device which gets cheaper every day.

  2. Great work, but..
    Is the source available? Checked the forum post, but only had links to the hex and bin files. I understand the developers may want to keep their backdoor secret to avoid being patched, but hex files are pretty easily disassembled and this is likely where their hack lives, so why hide it.
    I am more-so worried about the 130mb of unknown software with root access in hubcap-flashcast.bin. Chromecast is a device that has my google login credentials which i regard as the keys to the kingdom. I may try to binwalk it later to see if i can extract the fs and hopefully confirm that there is nothing too fishy going on here.

    1. I would be interested to read the results of your investigation. Sadly, we live in an era where the immediate question should be “what aren’t we asking?” rather than “what can x do for me?”.

      If you can capture your investigation in a blow-by-blow fashion, I expect it would make a great HAD follow-up article!

    2. looks fine.
      briefly what i did:
      :~/binwalk hubcap-flashcast.bin
      reveals a squashfs partition starting at
      position 20975616
      :~/dd if=hubcap-flashcast.bin bs=1 skip=20975616 of=hubcap.squashfs
      :~/unsquash hubcap.squashfs
      reveals a small filesystem containing some system roms and
      a downgraded bootloader loader. This is likely the root teams work here (so I was wrong that it was all in the avr code. The avr code may just be like a stack pointer fuzzer to trick the device to execute unsigned code similar to ps3 exploit, who knows)

      Anyhow, my concern was the squashfs. so i looked at the file
      20Eureka-ROM/images/system.img
      the other two files are stock android boot and recovery loaders
      06f8219c30a131919c95947de27874e5 boot.img
      15dd6ddf616b2de6da3ae17143c36f2e recovery.img
      The system image is a squash partition too, and needs no dd pruning
      so unsquashfs system.img
      paydirt, this is a linux like file system with netflix and all the goodies in it.
      Checking each file is tedious but for anyone with more time/expertise here are the signatures and file definitions of all the files
      http://homepages.uc.edu/~carrahle/doc/filesums
      http://homepages.uc.edu/~carrahle/doc/files

      At first glance every thing looks ok. But I’m not much of an expert at what to look for regarding nefarious code. Figure a file to file signature comparison with known uncompromised code would be useful but tedious.

      1. Just got off the phone w/chomecast “non-tech support” and when I asked about configuring it remotely when he told me I wouldn’t be able to use one since I
        only have linux computers at my disposal but can use a friends mac, he paused, started, paused, started to say yes as I asked if I could ssh into the device to do whatever vodoo this dude claimed was super complicated. he didn’t stop soon enough and fully admitted that they have a root shell w/defaul creds. When I asked
        him what he’d just started to say, he told me he can’t talk about it. I asked again if there was a root shell and again, insunuating that there was he said he was not allowed to talk about it. I thought it was plug and watch since being a linux user and needing to subscribe to a streaming service from Ireland that has told me flat out, “no Open-Source anything is allowed or will work on our system”, a system that uses Apache for their webserver and nginx for the content server. Is that possible from a tech point of view? Or is it more netflix type nonsense. I really believe that anyone using Linux servers to serve content that block other Linux users(nearly everyone) needs to be limited to additions to all open-source licences, or variation. How is that right.

        1. oops, very poory worded and a bit confusing. At the end I was trying to say that software licences need to be amended to bar for example, Netflix(who doesn’t allow any *nix users other than crApple users) from using the software if they refuse to serve people who chose to use rea software. The service I’m having trouble with that makes Netflix look like angles is called GAAGO. Love to hear what you all think of the TOS… no mention of Open Source or Linux, I looked HARD, even using grep to make sure I didn’t miss anything. Really, you should read it.
          Sorry if I missed the ‘edit’ button.

  3. Actually rooting a NEW CHROMECAST doesn’t require ANY hardware other than a USB cord and access to a computer with ADB installed. You only need complicated hacks once the chromecast is allowed to take the first over the air update which blocks the simple root exploit. Not sure if the units being sold now have the updated software or not but this was the story when chromecast was first released.

    1. Presumably communicating over SPI. You could probably do it through a parallel port, if you have one, and if your PC can manage the timing requirements. With modern OSes, that’s not always the case, asking for a bit of a port to be “1” doesn’t set it to “1” til a certain time later, depending on all the other stuff the system’s doing, and the drivers and the PC’s interrupts etc.

      If you want to flip pins at a reliable constant time, a microcontroller with no OS on board, just running a single program on bare metal, can be a lot better than a PC. It’s timing is completely predictable.

      This applies even more so if you don’t have a parallel port. Most chips like the one in the Chromecast don’t accept low-level programming through USB. So the Teensy reads the new code for the Chromecast, over USB from the PC. Then sends the code out as SPI with accurate timing.

  4. Without having read the article I would guess that the USB OTG is so that the chrome cast act as USB host and can accept USB devices (instead of being one) on its micro USB port, and the teensy (and Leonardo) can become a USB device. PC’s can’t do that.
    Pair that with the recent announcements that USB host ports are new, unexplored cracking vectors.

  5. What if someone wished a different usage for this dongle (car pc, home automation, electronic instrumentation, etc)?
    Read: can I wipe it completely then install a real embedded linux distro on it?

    1. Im sure you “can” wipe the device, getting a full linux distro on it might be more difficult, but the question is more why would you want to? what possible use can a device with hdmi out and wifi have for a car pc or home automation project other than putting media on a tv, which it already does?
      You’d be better off with an RPi…

      1. It makes sense because these devices are going to be mass produced (more people interested in viewing media than those hacking embedded boards) therefore soon or later they’ll end up costing a lot less than the RPi. Also, soon or later most monitors including car mountable ones will have HDMI. Add a USB to whataver (i/o, audio, storage, etc) interface and bingo! here’s one more low cost general purpose sbc to play with.

  6. Hi, i have done everything you said up to the 1:57 mark on your video. Unfortunately when i connect the teensy to the chromcast with the button pressed, the chromcast light goes red and the light on the teensy does not flash, it is just a constant orange. I have seen your video multiple times and I am sure I am doing everyting ok. Any idea as to what might be wrong?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s