Chromecast Is Root

Image from [psouza4] on the xda-developers forum

Chromecast is as close as you’re going to get to a perfect device – plug it in the back of your TV, and instantly you have Netflix, Hulu, Pandora, and a web browser on the largest display in your house. It’s a much simpler device than a Raspi running XBMC, and we’ve already seen a few Chromecast hacks that stream videos from a phone¬†and rickroll everyone around you.

Now the Chromecast has been rooted, allowing anyone to change the DNS settings (Netflix and Hulu users that want to watch content not available in their country rejoice), and loading custom apps for the Chromecast.

The process of rooting the Chromecast should be fairly simple for the regular readers of Hackaday. It requires a Teensy 2 or 2++ dev board, a USB OTG cable, and a USB flash drive. Plug the Teensy into the Chromecast and wait a minute. Remove the Teensy, plug in the USB flash drive, and wait several more minutes. Success is you, and your Chromecast is now rooted.

Member of Team-Eureka [riptidewave93] has put up a demo video of rooting a new in box Chromecast in just a few minutes. You can check that out below.

40 thoughts on “Chromecast Is Root

      1. Yeah i fell for that before, when the thing was not crashing or allegedly stealing passwords it was just giving me all sorts of trouble
        Got a chromecast for $25 shipped and never looked back

  1. This would have been cooler if found earlier. As of now you can just do a screen mirror and cast the screen of the phone itself with the latest versions of Android (as well as an enabler app if your phone isn’t “officially” supported like the Samsung Galaxy S3, etc). Only thing that kinda bites is that games are a bit too laggy to play well.

    1. Well, playing games on the TV works very well with my $15 Miracast stick. If it doesn’t with Chromecast, then Google is doing something wrong.

      1. Not really. I’ve seen the videos on YouTube with Miracast, it’s still close to a 0.2 second delay. It may not be much, but for twitch gaming like say in fighting games and the like, not really playable.

  2. Does it have to be a Teensy? Plenty of non-Teensy Arduinos / AVRs out there, is there so much difference? Oh, I’ll go look.

    1. $3.99 from newegg….so expensive!

      make sure you get a powered one – I have an unpowered otg cable and its near-worthless for its usual purpose (ie. connecting to usb mass storage that requires more power than a cellphone puts out it’s port)

    1. I’m sure it could, but would require alot of custom work.
      A raspberry pi /odroid / mk80x would be a much easier platform to work with.

  3. This is exciting. I nearly bought a chromecast the other day but was put off by the restrictions of what it can do. I hope they can open it up to the Arduino too :)

    1. Sure beats buying a dumb^H^H^H^Hsmart TV – at least when this is obsolete you can just get the newer one for less than the price of an XBox One, PS4, and Wii U combined! Or if you got a $1000+ TV just for this feature, you can just get a sub-$50 device which gets cheaper every day.

  4. Great work, but..
    Is the source available? Checked the forum post, but only had links to the hex and bin files. I understand the developers may want to keep their backdoor secret to avoid being patched, but hex files are pretty easily disassembled and this is likely where their hack lives, so why hide it.
    I am more-so worried about the 130mb of unknown software with root access in hubcap-flashcast.bin. Chromecast is a device that has my google login credentials which i regard as the keys to the kingdom. I may try to binwalk it later to see if i can extract the fs and hopefully confirm that there is nothing too fishy going on here.

    1. I would be interested to read the results of your investigation. Sadly, we live in an era where the immediate question should be “what aren’t we asking?” rather than “what can x do for me?”.

      If you can capture your investigation in a blow-by-blow fashion, I expect it would make a great HAD follow-up article!

    2. looks fine.
      briefly what i did:
      :~/binwalk hubcap-flashcast.bin
      reveals a squashfs partition starting at
      position 20975616
      :~/dd if=hubcap-flashcast.bin bs=1 skip=20975616 of=hubcap.squashfs
      :~/unsquash hubcap.squashfs
      reveals a small filesystem containing some system roms and
      a downgraded bootloader loader. This is likely the root teams work here (so I was wrong that it was all in the avr code. The avr code may just be like a stack pointer fuzzer to trick the device to execute unsigned code similar to ps3 exploit, who knows)

      Anyhow, my concern was the squashfs. so i looked at the file
      20Eureka-ROM/images/system.img
      the other two files are stock android boot and recovery loaders
      06f8219c30a131919c95947de27874e5 boot.img
      15dd6ddf616b2de6da3ae17143c36f2e recovery.img
      The system image is a squash partition too, and needs no dd pruning
      so unsquashfs system.img
      paydirt, this is a linux like file system with netflix and all the goodies in it.
      Checking each file is tedious but for anyone with more time/expertise here are the signatures and file definitions of all the files

      http://homepages.uc.edu/~carrahle/doc/filesums

      http://homepages.uc.edu/~carrahle/doc/files

      At first glance every thing looks ok. But I’m not much of an expert at what to look for regarding nefarious code. Figure a file to file signature comparison with known uncompromised code would be useful but tedious.

  5. Actually rooting a NEW CHROMECAST doesn’t require ANY hardware other than a USB cord and access to a computer with ADB installed. You only need complicated hacks once the chromecast is allowed to take the first over the air update which blocks the simple root exploit. Not sure if the units being sold now have the updated software or not but this was the story when chromecast was first released.

    1. Presumably communicating over SPI. You could probably do it through a parallel port, if you have one, and if your PC can manage the timing requirements. With modern OSes, that’s not always the case, asking for a bit of a port to be “1” doesn’t set it to “1” til a certain time later, depending on all the other stuff the system’s doing, and the drivers and the PC’s interrupts etc.

      If you want to flip pins at a reliable constant time, a microcontroller with no OS on board, just running a single program on bare metal, can be a lot better than a PC. It’s timing is completely predictable.

      This applies even more so if you don’t have a parallel port. Most chips like the one in the Chromecast don’t accept low-level programming through USB. So the Teensy reads the new code for the Chromecast, over USB from the PC. Then sends the code out as SPI with accurate timing.

      1. It has nothing to do with SPI. The Teensy isn’t even connected to a PC so it isn’t loading anything over USB from the PC.

  6. Without having read the article I would guess that the USB OTG is so that the chrome cast act as USB host and can accept USB devices (instead of being one) on its micro USB port, and the teensy (and Leonardo) can become a USB device. PC’s can’t do that.
    Pair that with the recent announcements that USB host ports are new, unexplored cracking vectors.

  7. What if someone wished a different usage for this dongle (car pc, home automation, electronic instrumentation, etc)?
    Read: can I wipe it completely then install a real embedded linux distro on it?

    1. Im sure you “can” wipe the device, getting a full linux distro on it might be more difficult, but the question is more why would you want to? what possible use can a device with hdmi out and wifi have for a car pc or home automation project other than putting media on a tv, which it already does?
      You’d be better off with an RPi…

      1. It makes sense because these devices are going to be mass produced (more people interested in viewing media than those hacking embedded boards) therefore soon or later they’ll end up costing a lot less than the RPi. Also, soon or later most monitors including car mountable ones will have HDMI. Add a USB to whataver (i/o, audio, storage, etc) interface and bingo! here’s one more low cost general purpose sbc to play with.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s