Chromecast Is Root


Image from [psouza4] on the xda-developers forum

Chromecast is as close as you’re going to get to a perfect device – plug it in the back of your TV, and instantly you have Netflix, Hulu, Pandora, and a web browser on the largest display in your house. It’s a much simpler device than a Raspi running XBMC, and we’ve already seen a few Chromecast hacks that stream videos from a phone and rickroll everyone around you.

Now the Chromecast has been rooted, allowing anyone to change the DNS settings (Netflix and Hulu users that want to watch content not available in their country rejoice), and loading custom apps for the Chromecast.

The process of rooting the Chromecast should be fairly simple for the regular readers of Hackaday. It requires a Teensy 2 or 2++ dev board, a USB OTG cable, and a USB flash drive. Plug the Teensy into the Chromecast and wait a minute. Remove the Teensy, plug in the USB flash drive, and wait several more minutes. Success is you, and your Chromecast is now rooted.

Member of Team-Eureka [riptidewave93] has put up a demo video of rooting a new in box Chromecast in just a few minutes. You can check that out below.


  1. Nate B says:

    Aaaand countdown ’til Teensies go out of stock in 3.. 2…

  2. Rob S says:

    I really like some of the articles that you have done lately, especially the clamps one and the OpenCV one. Keep up the good work, Hackaday!

  3. This would have been cooler if found earlier. As of now you can just do a screen mirror and cast the screen of the phone itself with the latest versions of Android (as well as an enabler app if your phone isn’t “officially” supported like the Samsung Galaxy S3, etc). Only thing that kinda bites is that games are a bit too laggy to play well.

  4. bro89 says:

    Is there a good stick which can play amazon instant video?

  5. eccentricelectron says:


  6. Greenaum says:

    Does it have to be a Teensy? Plenty of non-Teensy Arduinos / AVRs out there, is there so much difference? Oh, I’ll go look.

  7. onebiozz says:

    reminds me of the PS3 root … hopfully someone can do this on a PC … i dont find it worth buying a USB-OTG!

  8. mhespenh says:

    Haha the parts to root the device cost almost as much as the device itself!

    Still, very cool. Bring on the unofficial apps!

  9. greenbacks says:

    Do these have any internal storage or are able to mount so usb to use this as a digital signage player?

  10. StinkySteve says:

    This is exciting. I nearly bought a chromecast the other day but was put off by the restrictions of what it can do. I hope they can open it up to the Arduino too :)

    • Joe2 says:

      Sure beats buying a dumb^H^H^H^Hsmart TV – at least when this is obsolete you can just get the newer one for less than the price of an XBox One, PS4, and Wii U combined! Or if you got a $1000+ TV just for this feature, you can just get a sub-$50 device which gets cheaper every day.

  11. lee says:

    Great work, but..
    Is the source available? Checked the forum post, but only had links to the hex and bin files. I understand the developers may want to keep their backdoor secret to avoid being patched, but hex files are pretty easily disassembled and this is likely where their hack lives, so why hide it.
    I am more-so worried about the 130mb of unknown software with root access in hubcap-flashcast.bin. Chromecast is a device that has my google login credentials which i regard as the keys to the kingdom. I may try to binwalk it later to see if i can extract the fs and hopefully confirm that there is nothing too fishy going on here.

    • Rob says:

      I would be interested to read the results of your investigation. Sadly, we live in an era where the immediate question should be “what aren’t we asking?” rather than “what can x do for me?”.

      If you can capture your investigation in a blow-by-blow fashion, I expect it would make a great HAD follow-up article!

    • lee says:

      looks fine.
      briefly what i did:
      :~/binwalk hubcap-flashcast.bin
      reveals a squashfs partition starting at
      position 20975616
      :~/dd if=hubcap-flashcast.bin bs=1 skip=20975616 of=hubcap.squashfs
      :~/unsquash hubcap.squashfs
      reveals a small filesystem containing some system roms and
      a downgraded bootloader loader. This is likely the root teams work here (so I was wrong that it was all in the avr code. The avr code may just be like a stack pointer fuzzer to trick the device to execute unsigned code similar to ps3 exploit, who knows)

      Anyhow, my concern was the squashfs. so i looked at the file
      the other two files are stock android boot and recovery loaders
      06f8219c30a131919c95947de27874e5 boot.img
      15dd6ddf616b2de6da3ae17143c36f2e recovery.img
      The system image is a squash partition too, and needs no dd pruning
      so unsquashfs system.img
      paydirt, this is a linux like file system with netflix and all the goodies in it.
      Checking each file is tedious but for anyone with more time/expertise here are the signatures and file definitions of all the files

      At first glance every thing looks ok. But I’m not much of an expert at what to look for regarding nefarious code. Figure a file to file signature comparison with known uncompromised code would be useful but tedious.

  12. GC says:

    Actually rooting a NEW CHROMECAST doesn’t require ANY hardware other than a USB cord and access to a computer with ADB installed. You only need complicated hacks once the chromecast is allowed to take the first over the air update which blocks the simple root exploit. Not sure if the units being sold now have the updated software or not but this was the story when chromecast was first released.

  13. mattbed says:

    Sorry for being thick but what is the teensy doing over USB that cant be done by a pc?

    • Greenaum says:

      Presumably communicating over SPI. You could probably do it through a parallel port, if you have one, and if your PC can manage the timing requirements. With modern OSes, that’s not always the case, asking for a bit of a port to be “1” doesn’t set it to “1” til a certain time later, depending on all the other stuff the system’s doing, and the drivers and the PC’s interrupts etc.

      If you want to flip pins at a reliable constant time, a microcontroller with no OS on board, just running a single program on bare metal, can be a lot better than a PC. It’s timing is completely predictable.

      This applies even more so if you don’t have a parallel port. Most chips like the one in the Chromecast don’t accept low-level programming through USB. So the Teensy reads the new code for the Chromecast, over USB from the PC. Then sends the code out as SPI with accurate timing.

  14. commfreaks says:

    Without having read the article I would guess that the USB OTG is so that the chrome cast act as USB host and can accept USB devices (instead of being one) on its micro USB port, and the teensy (and Leonardo) can become a USB device. PC’s can’t do that.
    Pair that with the recent announcements that USB host ports are new, unexplored cracking vectors.

  15. qwerty says:

    What if someone wished a different usage for this dongle (car pc, home automation, electronic instrumentation, etc)?
    Read: can I wipe it completely then install a real embedded linux distro on it?

    • mattbed says:

      Im sure you “can” wipe the device, getting a full linux distro on it might be more difficult, but the question is more why would you want to? what possible use can a device with hdmi out and wifi have for a car pc or home automation project other than putting media on a tv, which it already does?
      You’d be better off with an RPi…

      • qwerty says:

        It makes sense because these devices are going to be mass produced (more people interested in viewing media than those hacking embedded boards) therefore soon or later they’ll end up costing a lot less than the RPi. Also, soon or later most monitors including car mountable ones will have HDMI. Add a USB to whataver (i/o, audio, storage, etc) interface and bingo! here’s one more low cost general purpose sbc to play with.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,545 other followers