Chromecast is as close as you’re going to get to a perfect device – plug it in the back of your TV, and instantly you have Netflix, Hulu, Pandora, and a web browser on the largest display in your house. It’s a much simpler device than a Raspi running XBMC, and we’ve already seen a few Chromecast hacks that stream videos from a phone and rickroll everyone around you.
Now the Chromecast has been rooted, allowing anyone to change the DNS settings (Netflix and Hulu users that want to watch content not available in their country rejoice), and loading custom apps for the Chromecast.
The process of rooting the Chromecast should be fairly simple for the regular readers of Hackaday. It requires a Teensy 2 or 2++ dev board, a USB OTG cable, and a USB flash drive. Plug the Teensy into the Chromecast and wait a minute. Remove the Teensy, plug in the USB flash drive, and wait several more minutes. Success is you, and your Chromecast is now rooted.
Member of Team-Eureka [riptidewave93] has put up a demo video of rooting a new in box Chromecast in just a few minutes. You can check that out below.
Aaaand countdown ’til Teensies go out of stock in 3.. 2…
already out of stock(in 2 sites i checked)… lel
Naa, Chromecasts aren’t that cool devices.
The chinese version (named EZcast) is much cheaper and can do much more.
Yeah i fell for that before, when the thing was not crashing or allegedly stealing passwords it was just giving me all sorts of trouble
Got a chromecast for $25 shipped and never looked back
This message was provided by Google, powered by NSA.
I really like some of the articles that you have done lately, especially the clamps one and the OpenCV one. Keep up the good work, Hackaday!
This would have been cooler if found earlier. As of now you can just do a screen mirror and cast the screen of the phone itself with the latest versions of Android (as well as an enabler app if your phone isn’t “officially” supported like the Samsung Galaxy S3, etc). Only thing that kinda bites is that games are a bit too laggy to play well.
Well, playing games on the TV works very well with my $15 Miracast stick. If it doesn’t with Chromecast, then Google is doing something wrong.
Not really. I’ve seen the videos on YouTube with Miracast, it’s still close to a 0.2 second delay. It may not be much, but for twitch gaming like say in fighting games and the like, not really playable.
in fighting games and the like
WHich Miricast stick do you have? I’ve bought several junk ones.
Is there a good stick which can play amazon instant video?
You can chrome cast amazon instant video if you disable silverlight in chrome.
s/you/yours
Does it have to be a Teensy? Plenty of non-Teensy Arduinos / AVRs out there, is there so much difference? Oh, I’ll go look.
well it would work on any ATMEGA32u4 in its current configuration
Do you mind posting the method – was this the teensy 2.0 hex and ax loader ?
reminds me of the PS3 root … hopfully someone can do this on a PC … i dont find it worth buying a USB-OTG!
$3.99 from newegg….so expensive!
make sure you get a powered one – I have an unpowered otg cable and its near-worthless for its usual purpose (ie. connecting to usb mass storage that requires more power than a cellphone puts out it’s port)
Yea, when can we do this voodoo with just a PC?
Since like 1999?
Haha the parts to root the device cost almost as much as the device itself!
Still, very cool. Bring on the unofficial apps!
Yeah but the device itself is $30.
$30 doesn’t get you very far in the retail end of microprocessing.
Do these have any internal storage or are able to mount so usb to use this as a digital signage player?
I’m sure it could, but would require alot of custom work.
A raspberry pi /odroid / mk80x would be a much easier platform to work with.
This is exciting. I nearly bought a chromecast the other day but was put off by the restrictions of what it can do. I hope they can open it up to the Arduino too :)
Sure beats buying a dumb^H^H^H^Hsmart TV – at least when this is obsolete you can just get the newer one for less than the price of an XBox One, PS4, and Wii U combined! Or if you got a $1000+ TV just for this feature, you can just get a sub-$50 device which gets cheaper every day.
Great work, but..
Is the source available? Checked the forum post, but only had links to the hex and bin files. I understand the developers may want to keep their backdoor secret to avoid being patched, but hex files are pretty easily disassembled and this is likely where their hack lives, so why hide it.
I am more-so worried about the 130mb of unknown software with root access in hubcap-flashcast.bin. Chromecast is a device that has my google login credentials which i regard as the keys to the kingdom. I may try to binwalk it later to see if i can extract the fs and hopefully confirm that there is nothing too fishy going on here.
I would be interested to read the results of your investigation. Sadly, we live in an era where the immediate question should be “what aren’t we asking?” rather than “what can x do for me?”.
If you can capture your investigation in a blow-by-blow fashion, I expect it would make a great HAD follow-up article!
looks fine.
briefly what i did:
:~/binwalk hubcap-flashcast.bin
reveals a squashfs partition starting at
position 20975616
:~/dd if=hubcap-flashcast.bin bs=1 skip=20975616 of=hubcap.squashfs
:~/unsquash hubcap.squashfs
reveals a small filesystem containing some system roms and
a downgraded bootloader loader. This is likely the root teams work here (so I was wrong that it was all in the avr code. The avr code may just be like a stack pointer fuzzer to trick the device to execute unsigned code similar to ps3 exploit, who knows)
Anyhow, my concern was the squashfs. so i looked at the file
20Eureka-ROM/images/system.img
the other two files are stock android boot and recovery loaders
06f8219c30a131919c95947de27874e5 boot.img
15dd6ddf616b2de6da3ae17143c36f2e recovery.img
The system image is a squash partition too, and needs no dd pruning
so unsquashfs system.img
paydirt, this is a linux like file system with netflix and all the goodies in it.
Checking each file is tedious but for anyone with more time/expertise here are the signatures and file definitions of all the files
http://homepages.uc.edu/~carrahle/doc/filesums
http://homepages.uc.edu/~carrahle/doc/files
At first glance every thing looks ok. But I’m not much of an expert at what to look for regarding nefarious code. Figure a file to file signature comparison with known uncompromised code would be useful but tedious.
Just got off the phone w/chomecast “non-tech support” and when I asked about configuring it remotely when he told me I wouldn’t be able to use one since I
only have linux computers at my disposal but can use a friends mac, he paused, started, paused, started to say yes as I asked if I could ssh into the device to do whatever vodoo this dude claimed was super complicated. he didn’t stop soon enough and fully admitted that they have a root shell w/defaul creds. When I asked
him what he’d just started to say, he told me he can’t talk about it. I asked again if there was a root shell and again, insunuating that there was he said he was not allowed to talk about it. I thought it was plug and watch since being a linux user and needing to subscribe to a streaming service from Ireland that has told me flat out, “no Open-Source anything is allowed or will work on our system”, a system that uses Apache for their webserver and nginx for the content server. Is that possible from a tech point of view? Or is it more netflix type nonsense. I really believe that anyone using Linux servers to serve content that block other Linux users(nearly everyone) needs to be limited to additions to all open-source licences, or variation. How is that right.
oops, very poory worded and a bit confusing. At the end I was trying to say that software licences need to be amended to bar for example, Netflix(who doesn’t allow any *nix users other than crApple users) from using the software if they refuse to serve people who chose to use rea software. The service I’m having trouble with that makes Netflix look like angles is called GAAGO. Love to hear what you all think of the TOS… no mention of Open Source or Linux, I looked HARD, even using grep to make sure I didn’t miss anything. Really, you should read it.
Sorry if I missed the ‘edit’ button.
Actually rooting a NEW CHROMECAST doesn’t require ANY hardware other than a USB cord and access to a computer with ADB installed. You only need complicated hacks once the chromecast is allowed to take the first over the air update which blocks the simple root exploit. Not sure if the units being sold now have the updated software or not but this was the story when chromecast was first released.
Sorry for being thick but what is the teensy doing over USB that cant be done by a pc?
Presumably communicating over SPI. You could probably do it through a parallel port, if you have one, and if your PC can manage the timing requirements. With modern OSes, that’s not always the case, asking for a bit of a port to be “1” doesn’t set it to “1” til a certain time later, depending on all the other stuff the system’s doing, and the drivers and the PC’s interrupts etc.
If you want to flip pins at a reliable constant time, a microcontroller with no OS on board, just running a single program on bare metal, can be a lot better than a PC. It’s timing is completely predictable.
This applies even more so if you don’t have a parallel port. Most chips like the one in the Chromecast don’t accept low-level programming through USB. So the Teensy reads the new code for the Chromecast, over USB from the PC. Then sends the code out as SPI with accurate timing.
It has nothing to do with SPI. The Teensy isn’t even connected to a PC so it isn’t loading anything over USB from the PC.
Without having read the article I would guess that the USB OTG is so that the chrome cast act as USB host and can accept USB devices (instead of being one) on its micro USB port, and the teensy (and Leonardo) can become a USB device. PC’s can’t do that.
Pair that with the recent announcements that USB host ports are new, unexplored cracking vectors.
What if someone wished a different usage for this dongle (car pc, home automation, electronic instrumentation, etc)?
Read: can I wipe it completely then install a real embedded linux distro on it?
Im sure you “can” wipe the device, getting a full linux distro on it might be more difficult, but the question is more why would you want to? what possible use can a device with hdmi out and wifi have for a car pc or home automation project other than putting media on a tv, which it already does?
You’d be better off with an RPi…
It makes sense because these devices are going to be mass produced (more people interested in viewing media than those hacking embedded boards) therefore soon or later they’ll end up costing a lot less than the RPi. Also, soon or later most monitors including car mountable ones will have HDMI. Add a USB to whataver (i/o, audio, storage, etc) interface and bingo! here’s one more low cost general purpose sbc to play with.
Hi, i have done everything you said up to the 1:57 mark on your video. Unfortunately when i connect the teensy to the chromcast with the button pressed, the chromcast light goes red and the light on the teensy does not flash, it is just a constant orange. I have seen your video multiple times and I am sure I am doing everyting ok. Any idea as to what might be wrong?
same here…I think the problem is the firmware update has closed the ROM loop hole for the current rooting software.
hey nice but what can you do with a rooted Chromecast, loading custom apps? meaning I can use XBMC for example? Is there a list with extra functions for the rooted CC? I’ll buy one if it can do video mirroring!