WARNING: This should be the VERY VERY VERY VERY (Am I clear enough about this?) LAST thing you do to try and fix a chromecast. This can possibly fry a chromecast for good, so know going into this that it may not work!
Because of this, Me, XDA, and all other users are NOT RESPONSIBLE for any damage, problems, or issues that may arise from using this method. By using this tutorial, you agree and understand the above warning.
So, I had a Chromecast that I got stuck in "backupsys" boot mode, where it would try to boot the backupsys partition. Issue is, it would not boot, and you can't force it to boot from jumpdrive while it is in "recovery" or "backupsys" mode.
Well after tearing the thing down and getting UART setup, I started messing around, and found a way to FORCE the device to read from USB, regardless to the bootmode.
How this works is during the boot process, you jump 2 select pins on the PCB by the CPU, which causes the device to have a block read error while reading the system flash. When this happens, the device falls back into USB read mode.
Because this causes a read interrupt, it "MAY" have unknown effects on the longevity of your device, so like I said before, this should be a LAST RESORT OPTION ONLY.
What You Need:
Chromecast with Rootable Bootloader
Paper Clip/Needle to jump some TINY pins
UART hooked up to your computer
Jump Drive with the Root Image & USB OTG Cable
Process:
Step 1: Tear down your device, and have it hooked up to UART on your computer.
Step 2: Have the USB OTG Cable and Jump Drive with the root image plugged into the chromecast. Do not have it plugged into power yet.
Step 3: On the top side of the chromecast (Not the side with the UART Pins), carefully remove the RF shield to reveal the WiFi Chip and CPU.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Step 4: Have putty open and connected to your UART COM port. Also have "reboot recovery" in your clipboard. (Copy that command so you can right-click in putty to send it quick)
Step 5: Now, prepare to jump pin #26 (shown in photo below, marked with red square on right side of CPU) when you plug in the chromecast to power it.
Step 6: Plug in the chromecast power, and watch the UART output. Once the Chromecast LED turns read, use the paper clip to short pin #26 and you should get the following outout:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v155 loaded from 0x00268000
Read failed @ 0x7814c000
ERROR: Failed to read CPU image ret -1
Booting from NAND failed, booting from USB....!
timer_clk_freq = 0x47868c0
USB: Register 10011 NbrPorts 1
USB EHCI 1.00
scanning bus for devices... 2 USB Device(s) found
scanning bus for storage devices... 1 Storage Device(s) found
If you do not see "Booting from NAND failed, booting from USB....!", unplug the chromecast, and try again.
Step 7: The chromecast will now try and boot the Jump Drive image. During this, there will be a root shell hiding under all the output. You need to QUICKLY and repeatedly press Enter until you see "/ # " flash on the screen. Once you see that flash, QUICKLY press right-click so putty pastes your clipboard, and then press enter. If you do this fast enough, the kernel will run "reboot recovery" and restart.
Step 8: The device will now try to boot the normal recovery partition. This is fine, because even if it fails, the bootloader will detect this and reset the device to normal boot mode after a few power cycles. After a few power cycles, the chromecast should eventually show the following over UART:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v168 loaded from 0x0029c000
[SHOWLOGO] stopped
Boot normal GTV image
fts: record v169 commited @ 0x002a0000
Uncompressing Linux... done, booting the kernel.
And congrats, the device is now back to Normal Boot Mode! You can now hold the power button during power on to properly flash the rooted image, and your device should be good to go!
DEVS: If you want to help make this easier, can you make a USB image that just boots the kernel and stops at command line? Would make this process easier.
FAQ:
Q: Why do I need this? I can just hold down the button to boot from a Jump Drive.
A: This is true, but if a Chromecast is in any other boot mode besides normal, then it will be unable to boot from USB. This is just how the bootloader is coded. (I submitted a patch to google regarding this, even though it would never help us out thanks to the updated locked bootloader).
Q: Will this allow be to Downgrade/Root my device?
A: Answer is Probably not, even though this is untested. This is because the bootloader is still loading from the device, so it will still probably check the USB Drives image for a valid signature.
Q: I tried this, but my device still won't boot.
A: Well then there is probably not much else you can do, besides looking for a fix yourself. Remember, its a $35 dollar device so it may just be best to buy a new one.
Reserved
This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.
ddggttff3 said:
Reserved
Click to expand...
Click to collapse
Can you explain why you chose pin 26?
Thanks
zackoch said:
Can you explain why you chose pin 26?
Thanks
Click to expand...
Click to collapse
In all honesty, trial and error with a device I didn't think would ever work again.
EDIT: Also, getting very very lucky.
jamcar said:
This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.
jamcar said:
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
technically this may be possible, but I am not a developer but don't quote me. The fact that we can load a kernel off a jump drive though should mean we have the ability to load and run a system image off of a jump drive.
I just got a second chromecast and am awaiting my USB OTG power cable, I do plan to root this one and work on seeing if my idea is possible.
Aaron Swartz, Rest in Pixels.
How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?
jamcar said:
How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?
Click to expand...
Click to collapse
You should put the RF shields back on after you do this modification, as they prevent interference and issues. During the dissection of my device though, I fully removed the shields (including the sides), so I have no choice but to run that one naked, but it is sitting on the side as I have another rooted chromecast I use for day to day usage.
Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app
rbeavers said:
Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
To be more clear, you should jump both pins at point 26. I am planning on re-doing this thread now that flashcast is out, and can make this a hell of a lot easier.
Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB
Bad Bimr said:
Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB
Click to expand...
Click to collapse
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB
Bad Bimr said:
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB
Click to expand...
Click to collapse
Is your device rootable? if it has taken any official google OTA yet, then the device will be unable to use or boot flashcast as google patched the root exploit.
Next time please try to keep questions to the relevant thread, thanks.
ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?
wptski said:
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?
Click to expand...
Click to collapse
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.
ddggttff3 said:
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.
Click to expand...
Click to collapse
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?
wptski said:
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?
Click to expand...
Click to collapse
No, the device will still be able to update from google if flashcast is ran, flashcast just deletes any already downloaded OTA that has yet to be installed.
Related
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What is it?
FlashCast is a USB image that provides a standardized way to mod your Chromecast. Think of it like a recovery which runs off of a USB drive. No more struggling with the limitations of the GTVHacker image, which is hard to modify and can only flash the /system partition. FlashCast is based on shell scripts, so it you can use it to do anything you can do with a root shell. It also comes with a comprehensive suite of helper functions, so many tasks actually become much easier than they would be using a regular shell.
How do I use it?
If you prefer to follow a video tutorial, @ddggttff3 has made one here. Otherwise, read on for written instructions.
Preparation
Before you begin, you'll need some materials:
A Chromecast with a vulnerable bootloader. (For the bootloader to be vulnerable, the Chromecast must have never been connected to the internet and have a rootable serial number.)
The latest version of FlashCast (the download link is at the bottom of this post).
A USB drive (minimum size 256MB) which you are willing to have erased.
A powered Micro-USB OTG cable such as this one. (Alternatively, an unpowered USB hub and unpowered OTG cable can be used as shown here. I have not tested this method and cannot help you if your USB drive is not detected.)
Installation
Once you've gathered everything required, you can install FlashCast to your USB drive. To do so, you need to write the .bin file contained in the FlashCast .zip file you've downloaded to your drive. Simply using a file explorer to drag the .bin file to your USB drive is not correct and will not work. The specifics of doing a low-level write differ depending on OS, but, in general, Linux and OS X users should use dd and Windows users should use Win32DiskImager. This operation will erase your flash drive.
After you've written the .bin file to your USB drive, your computer will no longer recognize a filesystem on it. This is normal. In order for FlashCast to set up the drive's filesystem, you need to boot your Chromecast from the drive. To do this, perform the following steps:
Connect the male end of your Micro-USB OTG cable to your Chromecast.
Plug your USB drive into the USB-A female connector of the OTG cable.
Simultaneously hold the button on your Chromecast and connect the Micro-USB power connector to the female Micro-USB port of the OTG cable.
The power must be connected last. If it is not, your Chromecast may fail to detect the USB drive and boot up normally. If this happens, simply repeat the process, making sure to perform the steps in the correct order.
If FlashCast was copied correctly, you will see a red light on your Chromecast for approximately 9 seconds. It will then turn white and your TV will display a screen containing the FlashCast logo (shown at the top of this post) and various instructions. Once you see this screen, you may release the button. The screen will appear for another 9 seconds or so, after which your Chromecast will reboot on its own to the stock image. After it has rebooted (you may disconnect the power when it starts to boot into the stock image if you're worried about it updating), FlashCast is installed on your USB drive and ready for use. Your device is NOT rooted at this point and can still be updated by Google. To root, you need to flash a mod such as Team Eureka's Eureka-ROM. When you plug the drive into your computer, it should appear as an empty drive which you can copy files to.
Usage
FlashCast-compatible mods are distributed as .zip files. To flash a mod, simply copy it to the USB drive with the name eureka_image.zip. Do NOT use dd as you did in the previous section. If you do, you will have to repeat the whole process. Instead, just copy it onto the drive's filesystem as you would any other file. FlashCast is also capable of flashing a GTVHacker-style raw system image; if there are no native FlashCast mods present and the system image is in a file called Chromecast-Rooted-System-GTVHacker-cj_000-July27-635PM.bin, it will be flashed. This method of flashing is very inflexible and is not recommended.
How do I develop for it?
If you are interested in creating mods for FlashCast, please see the developer thread.
Who made it?
FlashCast is based on a generic Buildroot Linux image. Its mod framework was written entirely by me, but I couldn't have done it without the help of various individuals. Thanks, @cj_000, for helping me and putting up with my stupid questions in IRC. And thank you, @tvall, for releasing your update-free images so promptly up until now. Without those, FlashCast would have a much smaller potential user base.
Where do I get it?
Downloads and source code are available at FlashCast's GitHub repository. The latest version is currently v1.3.
Cool! First
Sent from my SCH-I605 using Tapatalk 4
Oh yeah, finally we can update kernels! Thanks for this, got some work to do now.
tchebb, awesome work. Your flasher seems so much more flexible than what we put out (but hell, we did it in 3 days), and it's never a problem to help out. In fact, we LOVE it when someone actually picks up on what we did and makes it so much better.
Can't wait to give it a try, once I get some free time!
CJ
vulnerable bootloader ?
How do I know if I have A Chromecast with a vulnerable bootloader ?
Looks super cool man, I am about to check it out and update my chromecasts now! Great work!!
just flashed over, working great. thanks so much!
stewwmann said:
How do I know if I have A Chromecast with a vulnerable bootloader ?
Click to expand...
Click to collapse
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
tchebb said:
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
Click to expand...
Click to collapse
I just got 2 units this week from Amazon and they have not been updated from the factory and thus, vulnerable.
tchebb said:
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
Click to expand...
Click to collapse
damm, i have this 13300 version. and this will never happen or is there a way?
Updated 3 Chromecasts, thanks for the excellent work!
raydekok said:
damm, i have this 13300 version. and this will never happen or is there a way?
Click to expand...
Click to collapse
Currently there are no other known exploits.
ddggttff3 said:
Currently there are no other known exploits.
Click to expand...
Click to collapse
that is to bad. i'm hoping that it will not take to long.
raydekok said:
that is to bad. i'm hoping that it will not take to long.
Click to expand...
Click to collapse
@cammykool has been hoping that since Google forced 12840 upon him. He has given up hope.
I just finished using FlashCast on 2 ChromeCasts and everything went smooth and great! I could really see FlashCast evolving into a full blown recovery for ChromeCast!
I am thoroughly impressed with FlashCast, amazing work man, well done!
Hey guys, what's the purpose of this? Does it mean we can then use 3rd party developed apps? Apps that allow us to play local videos, etc.?
Thank You, Thank You very much....
Thanks for all the responses, I found a local Best Buy that has one, and I have put it on in store pickup for tomorrow. So if I do end up with one that has original fw, and am successful in installing flashcast, I can use the device as normal after that? no worries of it being locked back down? if we are not sure ,I just will continue using my updated one until then
stewwmann said:
Thanks for all the responses, I found a local Best Buy that has one, and I have put it on in store pickup for tomorrow. So if I do end up with one that has original fw, and am successful in installing flashcast, I can use the device as normal after that? no worries of it being locked back down? if we are not sure ,I just will continue using my updated one until then
Click to expand...
Click to collapse
If it comes with the original version, and you install an image that doesn't update, you can use it as normal and not worry about it being locked down.
cool
:good: *fingers crossed*
So if my Chromecast had been connected to my TV since release date I'm screwed huh
Sent from my Nexus 7 using Tapatalk 2
Hi,
As I believe I need to reflash my chromecast using the original firmware, does anyone know where I can get it from?
(If your interested in why, please see below.)
I seem to have a bricked Chromecast that I'm trying to revive (black screen after the booting chrome logo),
I have soldered in the serial port and it seems to boot the normal image ok (see bottom for dump), I have tried both the normal and the recovery image, it performs the recovery okay, however the normal boot after recovery yields the same results.
Therefore I would consider the next step to reflash it, however it refuses to flash using the GTV released firmware, because the existing firmware is to new to allow for the exploit, I therefore believe that i need a current firmware which is signed by google to attempt recovery of the chromecast, I spoke to google about it and I was welcome to sent it back and get a replacement, however as I'm in Europe, it would be cheaper to just buy a new one, than to pay the postage.
P.S. I posted this in a non-QA forum, under the assumption that links would be of general interest to chromecast developer community, and therefore would be easier to find here, if moderators disagree, I apologize for the inconvenience of moving this post.
Normal boot:
s_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=192 vcore=11 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Aug 5 2013 10:54:27] ver:f07e92b-dirty
OTP s0x000000FF lkg curr=192 mAnd_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v94 loaded from 0x00174000
[SHOWLOGO] stopped
Boot normal GTV image
fts: record v95 commited @ 0x00178000
Uncompressing Linux... done, booting the kernel.
Click to expand...
Click to collapse
bse10093 said:
Hi,
As I believe I need to reflash my chromecast using the original firmware, does anyone know where I can get it from?
(If your interested in why, please see below.)
I seem to have a bricked Chromecast that I'm trying to revive (black screen after the booting chrome logo),
I have soldered in the serial port and it seems to boot the normal image ok (see bottom for dump), I have tried both the normal and the recovery image, it performs the recovery okay, however the normal boot after recovery yields the same results.
Therefore I would consider the next step to reflash it, however it refuses to flash using the GTV released firmware, because the existing firmware is to new to allow for the exploit, I therefore believe that i need a current firmware which is signed by google to attempt recovery of the chromecast, I spoke to google about it and I was welcome to sent it back and get a replacement, however as I'm in Europe, it would be cheaper to just buy a new one, than to pay the postage.
P.S. I posted this in a non-QA forum, under the assumption that links would be of general interest to chromecast developer community, and therefore would be easier to find here, if moderators disagree, I apologize for the inconvenience of moving this post.
Normal boot:
Click to expand...
Click to collapse
If you had the exploitable bootloader, I would refer you to my thread I made awhile back about debricking, but if yours is updated, I think all you can really do is send it back to google, or buy a new one. To my knowledge, there has been no leak of an official signed USB image.
What you can try though is booting the chromecast into recovery (no idea how you can do that if its "bricked"), and have a jump drive with one of the official OTA Zips on it, named ota.zip. The chromecast recovery, if unable to find a update at /data/, will check an external jump drive.
Here is the link for the Official 13300 update. http://dl.google.com/googletv-eurek....1f63ef63d1f43c6222116806e5bea38a47e9f124.zip
tried recovery, but no luck
Thanks for your suggestions, I've tried to see if I can get it to load the software either by corrupting the boot (touching the memmory without the shield after a few tries seems to be enought to cause corruption and thereby make it try to boot from usb, however seems to fail locating the image it may however just be a matter of me having to put it in there in a certain way.
The device seems to have bricked in a weird way, that is the recovery process seems to run without error and so does the normal boot process until the very end when it is supposed to switch from the spinning chrome logo into the chromecast desktop, it just switches to the black screen.
I was able to start the recovery, but I assume that it must have an existing ota.zip in /data/, as it doesn't seem to check the jump drive.
ddggttff3 said:
If you had the exploitable bootloader, I would refer you to my thread I made awhile back about debricking, but if yours is updated, I think all you can really do is send it back to google, or buy a new one. To my knowledge, there has been no leak of an official update.
What you can try though is booting the chromecast into recovery (no idea how you can do that if its "bricked"), and have a jump drive with one of the official OTA Zips on it, named ota.zip. The chromecast recovery, if unable to find a update at /data/, will check an external jump drive.
Click to expand...
Click to collapse
Have you tried doing a factory reset on the chromecast? by button, or the setup application?
bse10093 said:
Thanks for your suggestions, I've tried to see if I can get it to load the software either by corrupting the boot (touching the memmory without the shield after a few tries seems to be enought to cause corruption and thereby make it try to boot from usb, however seems to fail locating the image it may however just be a matter of me having to put it in there in a certain way.
The device seems to have bricked in a weird way, that is the recovery process seems to run without error and so does the normal boot process until the very end when it is supposed to switch from the spinning chrome logo into the chromecast desktop, it just switches to the black screen.
I was able to start the recovery, but I assume that it must have an existing ota.zip in /data/, as it doesn't seem to check the jump drive.
Click to expand...
Click to collapse
I believe it will try to install a file named ota.zip on the root of a flash drive if it doesnt find an ota on internal storage.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
factory default
ddggttff3 said:
Have you tried doing a factory reset on the chromecast? by button, or the setup application?
Click to expand...
Click to collapse
Yes I've tried it and it runs without errors, reboots however when back in normal boot mode it still shows the black screen instead of chromecast desktop.
P.S. maybe I should mention that the chromecast ad-hoc network also comes up, unfortunately though that doesn't seem to help.
doesn't seem to activate usb key
tvall said:
I believe it will try to install a file named ota.zip on the root of a flash drive if it doesnt find an ota on internal storage.
Click to expand...
Click to collapse
I tried renaming, however when starting recovery with the usb key containing the official 13300 renamed as ota.zip, it never has any disk activity on the usb key, however I can verify that it can read the key from the bootloader as it detect the key, but fails the signing step
Dear XDA Users,
We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).
Requirements
Chromecast Device
Teensy 2 or 2++
Teensy 2 - https://www.pjrc.com/store/teensy.html
Teensy 2++ - https://www.pjrc.com/store/teensypp.html
Teensy Loader - https://www.pjrc.com/teensy/loader.html
1GB+ Flashdrive
The files included in the zip
Instructions
Install the appropriate Teensy Root Package on your device.
If New In Box device, use 12940 otherwise use 16664.
Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
After about 5 minutes, the Chromecast should reboot and your device should now be rooted!
Having Problems?
“I am using a USB hub with a OTG cable, why is it not working?”
This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
“How can I tell if the root is running?”
If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.
Created By
@fail0verflow
@gtvhacker
@Dev_Team_Eureka
Shoutouts
Google Inc. - Thanks for the awesome device, now add fastboot support
XDA-Developers - For being the home of Chromecast Development
Download
Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip
Source:
GitHub: https://github.com/axoltl/HubCap
Brilliant -- working through the steps now!
One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list.
UPDATE: worked like a charm!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around.
Thanks again for all your work, guys!
Awesome, thanks! Downloading now and will update!
Edit: flawless victory! Rooted 2 CC, one new in box and the other on latest firmware. Great work! Can't wait to see the source to understand how the exploit took place.
Amazing! Thanks!
Yea! I have a rooted CCast....
Just a note for Windows users who use win32mage....the flashcast image doesn't show using the browse because it's a BIN not an IMG file...
Just remove the file filter to *.* to see the proper image to burn to the USB Jump Drive.
Congrats to the team!
Gonna get my teensy asap! CC unplugged until then. Thank you so much, team!!
is this persistent and does it block OTA's?
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
Not sure but one of the ones I just rooted was 37*** that was on the latest ota.
I used the 16664 with a 2++
Sent from my 831C using Tapatalk
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
Awesome! ill keep my chromecast off the Internets till i get the board :good:
they have it on adafruit which is where i got my pi and adruino stuff
ddggttff3 said:
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
Click to expand...
Click to collapse
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.
Thanks!
Will this work with a Teensy 3.0?
mazzanet said:
Will this work with a Teensy 3.0?
Click to expand...
Click to collapse
Nope, only the Teensy 2 and Teensy++ 2 are supported (and there are separate images for both).
http://forum.xda-developers.com/showpost.php?p=54885650&postcount=9
Rooted one of my chromecasts. Thanks!
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
Asphyx said:
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
Click to expand...
Click to collapse
This is already resolved (posted above): I had forgotten to hit the button a second time for the flash drive payload.
psouza4 said:
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.
Thanks!
Click to expand...
Click to collapse
I often wish there was something like the Teensy loader to upload code to my own head so I wouldn't forget to do things! LOL!
i have a unopened 39xxxxxx
should i update it to 16664+ b4 rooting
don't know the version it comes with
[SIZE=+2]This thread has been created
for
Questions & Answers/Troubleshooting[/SIZE][SIZE=+2]Specific to[/SIZE]
BLU R1 HD
Please feel free to share issues, questions and offer help. Noob questions are welcomed.
It is always best to use the Thanks button , in lieu of simply posting "Thank you".
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Please keep discussion focused, on questions pertaining to this Device
List of supporters@bullet25
@triggerlord
@jasonmerc
@ColtonDRG
...To those seeking help: Please don't bombard the supporters with PMs asking for help. Instead, ask your question here in the thread so others can benefit from the solution to your problem as well. If you want to be sure someone particular gets notified of your question, put his / her username directly after an @.
If you have ROM related questions, post in the relevant ROM Q&A thread (if there is one) or directly in the ROM development thread. Thank you!
Supporters: If you want to be put on or off the list, just make a request here in the thread!
Before posting anything, I strongly advise you to read
Forum Rules
[GUIDE] - XDA New User Guide - Getting started on XDA
XDA Tour
FAQs for BLU R1 HD
[Index] BLU R1 HD - Amazon and OEM Variants
Please look for a similar thread when visiting another device forum.
If you would like to create a [Help Thread] please Click Here.
[SIZE=+3]Frequently Asked Questions[/SIZE]
[SIZE=+2]BLU R1 HD[/SIZE]
[SIZE=+1]This a short list of frequently asked questions in this device forum and the answers often given as a response. It should serve as a starting point for gathering knowledge and finding solutions to many common problems. [/SIZE]
[SIZE=+1]Q1: Can I root the BLU R1 HD?[/SIZE]Yes. for the Amazon Variant please see these posts:
Original Root Post Here (Includes TWRP)
Or Step-by-Step Root Here (Includes TWRP)
For the OEM Variant please see this post:
Step-by-Step Root (Includes TWRP)[SIZE=+1]Q2: Can I unlock the bootloader?[/SIZE]Yes for the Amazon Variant please see this post:
Bootloader Unlock
For the OEM Variant please see this post:
Step-by-Step Root (Includes TWRP)*Forum Rules | New Users Guide | XDA Tour | Report PostsA special thanks to everyone who contributed to the production of this FAQ
revered #2
Yo, I'll help. I'm stalking these forums 24/7 anyway.
Manual Camera Compatibility
Does it fully support the Camera2 API for use with manual camera apps?
TorrentialTech said:
Does it fully support the Camera2 API for use with manual camera apps?
Click to expand...
Click to collapse
Give me an app that uses Camera2 API and I'll test it and let you know.
Also @bullet25 I can never sleep anyway so add me to this glorious list, if you'd be so kind
jasonmerc said:
Give me an app that uses Camera2 API and I'll test it and let you know.
Also @bullet25 I can never sleep anyway so add me to this glorious list, if you'd be so kind
Click to expand...
Click to collapse
play.google.com/store/apps/details?id=pl.vipek.camera2_compatibility_test&hl=en This should do it
TorrentialTech said:
play.google.com/store/apps/details?id=pl.vipek.camera2_compatibility_test&hl=en This should do it
Click to expand...
Click to collapse
Doesn't look too pleasing.
jasonmerc said:
Doesn't look too pleasing.
Click to expand...
Click to collapse
Oh, that's a shame. I was hoping it would support Camera2 being such a recently launched phone. Hopefully it would work with a simple build.prop edit like the Redmi Note 3 or the Moto X Style.
TorrentialTech said:
Oh, that's a shame. I was hoping it would support Camera2 being such a recently launched phone.
Click to expand...
Click to collapse
There's always other alternatives that use their own camera drivers rather than manufacturer-bundled ones. Open Camera for one is a very good app that does not depend on device bundled camera drivers. It is very feature-rich and can be a powerful camera app if used in the right hands. Open Camera might be able to do what you're looking to do:
https://play.google.com/store/apps/details?id=net.sourceforge.opencamera
Thought I would ask this in the right thread.
My Amazon subsidized R1 HD is rooted with systemless Xposed installed. I did take the OTA update last week. It had been working fine for two days. I powered the phone off and placed on the charger, at which point it keeps continuously attempting to boot, just flashing the White Blu screen every 4-5 seconds. No combination of button presses, or holding of power seems to be able to stop it, so can't power the phone down, or get into TWRP. Ideas? It does not have a SIM in it at the moment, or when this occurred if that might matter.
While I have rebooted the phone many times since rooting, this may have been the first time that I have completely powered it down since rooting and installing TWRP this weekend. I had not made any changes to anything for a day or so, and it had survived many reboots. The only thing I can think of is that I did freeze the Amazon Offers App in TiBu to see what would happen, however, not sure that is in anyway related since it is not even getting to a point in the startup where it would check.
Is there some kind of boot verification Power Up, that does not occur on reset, where the modified Boot image of SuperSU would be the issue?
The only response I can get from the phone is that if I hold Volume+ and Pwr, the phone takes a few more seconds between reboots.....
ariesgodofwar said:
Thought I would ask this in the right thread.
My Amazon subsidized R1 HD is rooted with systemless Xposed installed. I did take the OTA update last week. It had been working fine for two days. I powered the phone off and placed on the charger, at which point it keeps continuously attempting to boot, just flashing the White Blu screen every 4-5 seconds. No combination of button presses, or holding of power seems to be able to stop it, so can't power the phone down, or get into TWRP. Ideas? It does not have a SIM in it at the moment, or when this occurred if that might matter.
While I have rebooted the phone many times since rooting, this may have been the first time that I have completely powered it down since rooting and installing TWRP this weekend. I had not made any changes to anything for a day or so, and it had survived many reboots. The only thing I can think of is that I did freeze the Amazon Offers App in TiBu to see what would happen, however, not sure that is in anyway related since it is not even getting to a point in the startup where it would check.
Is there some kind of boot verification Power Up, that does not occur on reset, where the modified Boot image of SuperSU would be the issue?
The only response I can get from the phone is that if I hold Volume+ and Pwr, the phone takes a few more seconds between reboots.....
Click to expand...
Click to collapse
Is it booting into android at least? If it is you can try:
Code:
adb reboot recovery
then in twrp do a default wipe (data, cache, dalvik) then see if everything is fine afterwards.
If not, try just letting it do its thing until it dies then see if it acts normal.
Otherwise its probably a hardware issue and needs to be replaced.
I've shutdown and booted mine several times with the TWRP and Root installed so I don't think its that.
bullet25 said:
Is it booting into android at least? If it is you can try:
Code:
adb reboot recovery
then in twrp do a default wipe (data, cache, dalvik) then see if everything is fine afterwards.
If not, try just letting it do its thing until it dies then see if it acts normal.
Otherwise its probably a hardware issue and needs to be replaced.
I've shutdown and booted mine several times with the TWRP and Root installed so I don't think its that.
Click to expand...
Click to collapse
Thanks! Yeah, it is not booting anywhere other than the White Screen that say BLU, so I can't even get to adb or TWRP (If I could I could fix it). Letting it die is my only other thought....... I was using a Nexus charge block, and a 3rd party cable which has been sketchy in the past, so maybe related to that.
But as you say, it may be hardware related, as it does not even seem to be going far enough in boot process to load Fastboot, let alone OS.
I raised a replacement request with Amazon just in case.....
Question on Encryption.
I have root and TWRP working correctly. My work Outlook profile requires (and I want) device encryption. I select the option to encrypt, enter my pin, get the Android guy gear cut in half thing icon for about 30 seconds then just a black screen. I let it sit like this for over an hour and nothing changed, so I rebooted. Phone isn't encrypted. Tried it again and got the same result. Am I missing something obvious here? Can you not encrypt if you have unlocked or something? Thanks!
brockwitting said:
Question on Encryption.
I have root and TWRP working correctly. My work Outlook profile requires (and I want) device encryption. I select the option to encrypt, enter my pin, get the Android guy gear cut in half thing icon for about 30 seconds then just a black screen. I let it sit like this for over an hour and nothing changed, so I rebooted. Phone isn't encrypted. Tried it again and got the same result. Am I missing something obvious here? Can you not encrypt if you have unlocked or something? Thanks!
Click to expand...
Click to collapse
I know with other phones you can do encryption with an unlocked bootloader, I don't know about this one. Either something is wrong with the phone's encryption or I honestly don't know. I'll try encrypting mine when I get a chance.
@brockwitting Encryption seems to be working. You have to unroot first and have a pin/patteren/or password to unlock the device. After that go through the encrypt steps. My phone shows the Android cut in half logo for about 10 second then a black screen for about another 30. It then rebooted and was at just the wallpaper. I hard shutdown by holding the power button then rebooted again. After I got a pin unlock screen after inputting the pin I had to press the power button, this might be normal I've never actually used android encryption before, and the phone was working fine since.
Screenshot
You can reboot into recovery afterwards and reroot.
bullet25 said:
@brockwitting Encryption seems to be working. You have to unroot first and have a pin/patteren/or password to unlock the device. After that go through the encrypt steps. My phone shows the Android cut in half logo for about 10 second then a black screen for about another 30. It then rebooted and was at just the wallpaper. I hard shutdown by holding the power button then rebooted again. After I got a pin unlock screen after inputting the pin I had to press the power button, this might be normal I've never actually used android encryption before, and the phone was working fine since.
Screenshot
You can reboot into recovery afterwards and reroot.
Click to expand...
Click to collapse
Sorry for the noobishness here, is there an easy way to temporarly Unroot without doing a full device restore to my pre-root state?
brockwitting said:
Sorry for the noobishness here, is there an easy way to temporarly Unroot without doing a full device restore to my pre-root state?
Click to expand...
Click to collapse
Open the SuperSU app, go to settings and there's an option for Full Unroot. Select that, reboot, then do the device encryption. After you verify its working okay reboot back into recovery and flash SuperSU again. TWRP will ask for your password, just enter your password/pin when it does.
bullet25 said:
Is it booting into android at least? If it is you can try:
Code:
adb reboot recovery
then in twrp do a default wipe (data, cache, dalvik) then see if everything is fine afterwards.
If not, try just letting it do its thing until it dies then see if it acts normal.
Otherwise its probably a hardware issue and needs to be replaced.
I've shutdown and booted mine several times with the TWRP and Root installed so I don't think its that.
Click to expand...
Click to collapse
So, just wanted to close the loop in the event anyone else runs into this. After 7 hours of rebooting every 3 seconds, the battery ran out. The phone then turned on just fine when I attempted to restart it.......... very odd, but all seems well.
ariesgodofwar said:
Thanks! Yeah, it is not booting anywhere other than the White Screen that say BLU, so I can't even get to adb or TWRP (If I could I could fix it). Letting it die is my only other thought....... I was using a Nexus charge block, and a 3rd party cable which has been sketchy in the past, so maybe related to that.
But as you say, it may be hardware related, as it does not even seem to be going far enough in boot process to load Fastboot, let alone OS.
I raised a replacement request with Amazon just in case.....
Click to expand...
Click to collapse
Well spft is still an option. At the point of power off to power on there is a pause on Android that spft uses to inject a DA program of sorts (download assistant). So try to do a readback of the first like 5mb. The read back information dosent matter itbis the DA injection your looking for. If it works the on off cycle should stop. Then unplug and phone should be off
How to Bootloader Unlock (Part 1 of 2):
1. You will need a USB A to USB A cable (Example here)
2. You will need fastboot drivers on your PC
3. Unplug your clock
4. Plug the USB A to A cable into your computer and clock
5. Hold the volume + button and plug in the power cord
6. Keep holding volume + for about 20-30 seconds (It is slow to boot to fastboot)
7. On your computer in a terminal run, fastboot flashing unlock
Part 1 of unlocking is now done
AVB/DM-Verity Unlock (Part 2 of 2)
Unlocking the bootloader really does not give a lot to us because all the partitions are still being verified and the device will not boot if they don't match. Normally doing this on an Android Things device is not possible due to their Private key unlock system. But due to a leak, the private key for the Lenovo Smart Clock is available. Word of warning doing this causes the stock android things not to boot only the factory firmware located on Slot A will boot. Consistently if you don't AVB unlock the factory firmware on Slot A doesn't boot If you have already set up your device once the factory firmware is deleted and currently there is not a way to get it back (Hopefully will change soon).
If you are coming from part 1 you can start right away, if not you need to reboot to fastboot again.
1. Extract the downloaded AVB Unlock zip
2. Run this command in terminal
Code:
at_auth_unlock.exe cube_unlock_credentials_v2.zip
3. Wait till it finishes
4. Keep in mind the stock system does not boot properly with AVB off (It is weird some UI elements work but the boot animation never goes away)
5. To relock AVB in the future run the following command:
Code:
fastboot oem at-lock-vboot!
Downloads:
Stock Shipping fastboot firmware:
Here
AVB Unlock tool:
Here
Factory partition changer (Locale changer):
Here
Google released kernel source:
https://github.com/deadman96385/android_kernel_lenovo_mt8167s
Dump of stock partitions for easy viewing:
https://github.com/deadman96385/things_mt8167s_som_dump
Credit to @deletescape for the leak of the AVB Unlock Key, Stock firmware, region changer
Screenshots of the stock android things on Slot A if you don't setup the device :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
TWRP (Coming Soon)
Excited to see what you manage to do with this!
This is great! I have one of these and it felt way too restrictive, looking forward to seeing what comes out of this.
You can also unlock the boot loader simply with what's below... device does boot with this btw
fastboot flashing unlock
Although I've been messing with the device quite a bit. Plug in a usb keyboard, and you can get a web browser to recognize it and go to websites and such using the touch screen as a cursor, but you can't download APK files and install them and such. I've NEVER had the device recognized by ADB, so I can't pass commands from there either.
KaptinBoxxi said:
You can also unlock the boot loader simply with what's below... device does boot with this btw
fastboot flashing unlock
Although I've been messing with the device quite a bit. Plug in a usb keyboard, and you can get a web browser to recognize it and go to websites and such using the touch screen as a cursor, but you can't download APK files and install them and such. I've NEVER had the device recognized by ADB, so I can't pass commands from there either.
Click to expand...
Click to collapse
Just doing step one does not actually get you anything because if you flash something that isn't stock on the verified partitions it will not boot until you flash back the stock one. I have gotten adb to show up but not properly so it is offline. Still hacking away at it trying to get it to go so i can more easily debug TWRP and make edits to the system.
deadman96385 said:
Just doing step one does not actually get you anything because if you flash something that isn't stock on the verified partitions it will not boot until you flash back the stock one. I have gotten adb to show up but not properly so it is offline. Still hacking away at it trying to get it to go so i can more easily debug TWRP and make edits to the system.
Click to expand...
Click to collapse
Ahhhhh got it. I couldn't find anything when I was messing with it like you've found with those commands. I'm kinda new to all this myself at something with nearly zero support, although I have a ton of experience with phones. Had to find my own exploit with my HTC One M7 because the version of android on the phone was the final supported update when I got it, and everyone said "nothing is possible with this android version" as far as rooting... so I figured out my own way lol
I'll continue trying myself though for sure
I also own one of these clocks, so if anyone has anything that I could test out, please share!
I think I'm bit late to party. Anyone who has a backup for those lenovo products, maybe it's a good idea to torrent them.
Honami754 said:
I think I'm bit late to party. Anyone who has a backup for those lenovo products, maybe it's a good idea to torrent them.
Click to expand...
Click to collapse
I don't have the time to test this stuff out for at least a few weeks, but if when I get to it, I'll try to upload my Backups somewhere before I tinker with the system. I'll update this comment when I do.
[/COLOR]
CiriousJoker said:
I don't have the time to test this stuff out for at least a few weeks, but if when I get to it, I'll try to upload my Backups somewhere before I tinker with the system. I'll update this comment when I do.
Click to expand...
Click to collapse
That's not really what I mean... I was referring to some interesting documents from lenovo. Have a few of those hardware but unfortunately didn't grab those files. Anyone also interested in these can PM me maybe we can do something about it.
when will twrp be avable
Interesting as there has a been a few of these turn up to auction of late .
I have gone with the 10' for main room and 8' for bedroom.. love them..
Got the oldies the little 7'
Great for streaming too..
The one I wish it did was announce the time by voice when the internet was down and we said "Hey Google". I am blind without my glasses and often when I am in bed, the internet is down in my area for maintenance period. The clock becomes useless when the internet goes down.
How are people getting the web browser to appear? I'm able to unlock the bootloader but can not boot with the AVB unlocked (well...technically it boots but still shows the spinning circle even though it will let you go to settings). I tried flashing the stock fastboot img and booting with avb unlocked and still get spinning circle. Not trying to get too fancy with this...just want to be able to point to a status page that I can leave it on.
Does anyone try to build a new firmware image and install this instead of stock?
Maybe compiling Android Things from source is possible, but looks like Google has stopped the development. The Lenovo Smart Frame seems to have the same MT8167S and runs on Android 10. Maybe it's possible to compile a LineageOS version?
lenovo.com/us/en/coming-soon/Lenovo-CD-3L501/p/ZZISZSDCD04
Another option might be fuchsia that contains a mt8167s board ref.
fuchsia.googlesource.com/fuchsia/+/master/boards/mt8167s_ref.gni
Googles Coral announced a Dev Board Mini based on MT8167s, maybe they port the Debian-based Mendel Linux to it.
coral.ai/products/dev-board-mini
hugo987 said:
Does anyone try to build a new firmware image and install this instead of stock?
Maybe compiling Android Things from source is possible, but looks like Google has stopped the development. The Lenovo Smart Frame seems to have the same MT8167S and runs on Android 10. Maybe it's possible to compile a LineageOS version?
lenovo.com/us/en/coming-soon/Lenovo-CD-3L501/p/ZZISZSDCD04
Another option might be fuchsia that contains a mt8167s board ref.
fuchsia.googlesource.com/fuchsia/+/master/boards/mt8167s_ref.gni
Googles Coral announced a Dev Board Mini based on MT8167s, maybe they port the Debian-based Mendel Linux to it.
coral.ai/products/dev-board-mini
Click to expand...
Click to collapse
I suppose the smart frame is running android things as well. Compiling android things does make much sense except to prove the drivers are sort of working, this is not designed to let users have fun (ie installing apps).
Google *really* loves mt8167s for some reason. I'd say there's a good chance of we having full android on it but everyone's busy.
They are throwing these things at our head now. 35/40 USD during black fridays.
I don't think you can order the components for that price
Anybody still working on it ? Lenovo claims it's still working on the sound bug - hxxps :// forums.lenovo.com/t5/Lenovo-Smart-Display-Lenovo-Smart-Clock-with-Google-Assistant/Smart-clock-alarm-volume-too-loud-at-first/m-p/5040962?page=4 (latest reply 2020-13-11 from Lenovo) and they did some unanounced pretty good updates in september 2020 - hxxps :// 9to5google.com/2020/09/21/lenovo-smart-clock-night-light/
They also claim the source is on their website hxxps :// smartsupport.lenovo.com/us/en/products/smart/smart-home/smart-clock/za4r/downloads/ds539701
So is this dead ?
deadman96385 said:
How to Bootloader Unlock (Part 1 of 2):
1. You will need a USB A to USB A cable (Example here)
2. You will need fastboot drivers on your PC
3. Unplug your clock
4. Plug the USB A to A cable into your computer and clock
5. Hold the volume + button and plug in the power cord
6. Keep holding volume + for about 20-30 seconds (It is slow to boot to fastboot)
7. On your computer in a terminal run, fastboot flashing unlock
Part 1 of unlocking is now done
AVB/DM-Verity Unlock (Part 2 of 2)
Unlocking the bootloader really does not give a lot to us because all the partitions are still being verified and the device will not boot if they don't match. Normally doing this on an Android Things device is not possible due to their Private key unlock system. But due to a leak, the private key for the Lenovo Smart Clock is available. Word of warning doing this causes the stock android things not to boot only the factory firmware located on Slot A will boot. Consistently if you don't AVB unlock the factory firmware on Slot A doesn't boot If you have already set up your device once the factory firmware is deleted and currently there is not a way to get it back (Hopefully will change soon).
If you are coming from part 1 you can start right away, if not you need to reboot to fastboot again.
1. Extract the downloaded AVB Unlock zip
2. Run this command in terminal
Code:
at_auth_unlock.exe cube_unlock_credentials_v2.zip
3. Wait till it finishes
4. Keep in mind the stock system does not boot properly with AVB off (It is weird some UI elements work but the boot animation never goes away)
5. To relock AVB in the future run the following command:
Code:
fastboot oem at-lock-vboot!
Locale changer instructions:
Coming soon (Need to figure it out)
Downloads:
Stock Shipping fastboot firmware:
Here
AVB Unlock tool:
Here
Factory partition changer (Locale changer):
Here
Google released kernel source:
https://github.com/deadman96385/android_kernel_lenovo_mt8167s
Dump of stock partitions for easy viewing:
https://github.com/deadman96385/things_mt8167s_som_dump
Credit to @deletescape for the leak of the AVB Unlock Key, Stock firmware, region changer
Click to expand...
Click to collapse
how about smart display ,the same way?
jasonzhang1987 said:
how about smart display ,the same way?
Click to expand...
Click to collapse
We do not have the AVB unlock files for the smart displays sadly.