Since there is no confirmed information stated anywhere on the web about S5 Mini supporting / not supporting USB OTG, I tried it myself.
Bought a cable, tried it, and was left dissapointed. Did not work.
So, can anyone else confirm USB OTG working / not working on a S5 Mini ( G800F )?
P.S. Flash stick and USB OTG cable I used work perfectly on a couple of tablets I managed to test in the meantime.
Confirmed. No support for USB OTG. Lock.
Yea... No support
The G800F is capable of USB OTG. It simply is not enabled in the stock firmware. I build a custom kernel with USB OTG enabled and it works.
It even powers the USB device so no external power source is required.
So far I tried keyboard, mouse and USB-audio. Everything works. I haven't tried USB storage so far as the power consumption is much higher than for other devices - it might work but it can also damage your phone.
At the moment I cannot create a new thread to post the kernel (10 posts are needed before this is possible). So I will do this later.
I wonder why Samsung disabled this feature - and if they will enable it with later firmware releases. Maybe there really are power issues.
---------- Post added at 05:16 AM ---------- Previous post was at 04:17 AM ----------
Also my tivizen USB-OTG DVB-T stick works
I got this bundled with an EDD-D200B docking station for 17€. First I was disappointed as neither the docking station nor the DVB-T stick worked with the stock firmware. With the stock kernel, the DVB-T stick is not recognized. Now it works just fine.
With the stock kernel also the docking station is useless. Nothing happens if you put the phone on the dock. It does not even charge the phone. This is because the dock usb port is connected to a resistor on the OTG ID-pin. As the stock kernel is not compiled properly, the G800F recognizes the dock station to support dock mode but it does not switch to this mode.
In my kernel, dock and car dock support is still disabled. Maybe I will enable this tonight in the kernel. Would be interesting if it charges then or even routes audio to the audio connector in the back of the dock.
Great news. Later you can do for g800h?
Hi da_jok3r,
I don't have a G800H so I will not try it. But if I have some time, I will write down the steps to perform to enable USB OTG.
This way it might be possible to port the changes to the G800H. But as totally different SoCs are used in G800F and G800H chances are not that high, that the same fix will work on the G800H too.
Some more update:
USB-OTG mass storage works. Tested it with a USB flash stick and I can browse the files.
Enabled desk dock support in the kernel and now the EDD-D200B dock charges the phone. No need to remove the dock's internal resistor anymore. Unfortunately, audio is not redirected to the dock's audio connector. The sound still comes from the phone's speaker. Either the soundchip's audio pins are not connected to the sm5502 USB-switch or there is some software component missing.
Here the dmesg output after connecting the dock:
[ 485.951912] [0] 834 muic-sm5502:sm5502_muic_detect_dev dev[1:0x0, 2:0x40, 3:0x10], adc:0x1a, vbvolt:0x2
[ 485.952006] [0] 834 muic-sm5502 : DESKDOCK DETECTED
[ 485.952056] [0] 834 muic-sm5502:attach_deskdock vbus(2)
[ 485.952817] [0] 834 muic-sm5502:switch_to_dock_audio
[ 485.953797] [0] 834 muic-sm5502:set_com_sw reg_val(0x49)!=MANSW1 reg(0x1), update reg
[ 485.955550] [0] 834 muic-sm5502:muic_dock_cb MUIC dock type=1
[ 485.956488] [0] 834 muic-sm5502:attach_charger new_dev(6)
[ 485.956572] [0] 834 muic-sm5502:muic_charger_cb 6
If audio routing through the dock is not supported, maybe I will just use USB-audio to get the audio through.
If you remove all the necessary files from the firmware G800h and act as a tester?
The processor also depends also support OTG? (Qualcomm - Exynos)
Love to here more on this
da_jok3r said:
If you remove all the necessary files from the firmware G800h and act as a tester?
The processor also depends also support OTG? (Qualcomm - Exynos)
Click to expand...
Click to collapse
Hi there
Music to my ears. I have a S5 Min 800F and am desperate to get the OTG working. Just invested in OTG cable ANT+ stick and new ANT+ enabled Cycle computer and I had no idea that OTG was not operational.
With my old Samsung S2 I routed and change the software to KitKat but this one is still new. Does it involve route and wipe and start again or is there an easy way?
Love to hear more please
thanks:good:
PhotoRepair said:
Music to my ears. I have a S5 Min 800F and am desperate to get the OTG working. Just invested in OTG cable ANT+ stick and new ANT+ enabled Cycle computer and I had no idea that OTG was not operational.
Click to expand...
Click to collapse
Does that mean, you have not tried so far if OTG works for you? At least with my firmware (G800FXXU1ANJ2) it did not work - but it is possible (but unlikely) that official firmwares exist that already support OTG. Maybe you can test if OTG works and post your firmware version here.
PhotoRepair said:
With my old Samsung S2 I routed and change the software to KitKat but this one is still new. Does it involve route and wipe and start again or is there an easy way?
Click to expand...
Click to collapse
My smartphone is rooted but it should also work without root. You have to flash a new kernel (contained in a boot.img file) with Odin. Although this does not root your device it will probably trigger the KNOX counter and void your warranty. As only the kernel is replaced, the Android system and your data will survive - so you don't have to start again. But I would recommend to safe your data before, just in case flashing the kernel fails.
hennymcc said:
Does that mean, you have not tried so far if OTG works for you? At least with my firmware (G800FXXU1ANJ2) it did not work - but it is possible (but unlikely) that official firmwares exist that already support OTG. Maybe you can test if OTG works and post your firmware version here.
Click to expand...
Click to collapse
OTG not working with firmware (G800FXXU1ANJ2) exactly same as yours.
hennymcc said:
My smartphone is rooted but it should also work without root. You have to flash a new kernel (contained in a boot.img file) with Odin. Although this does not root your device it will probably trigger the KNOX counter and void your warranty. As only the kernel is replaced, the Android system and your data will survive - so you don't have to start again. But I would recommend to safe your data before, just in case flashing the kernel fails.
Click to expand...
Click to collapse
Why should we suffer an inferior phone when the OTG is there and just needs switching on! So Id have to find a Kernel with the OTG enabled? Or do you have one?
Thanks so much for your help
PhotoRepair said:
Why should we suffer an inferior phone when the OTG is there and just needs switching on! So Id have to find a Kernel with the OTG enabled? Or do you have one?
Click to expand...
Click to collapse
I already built a kernel with OTG support for the G800F. I will post the link and some notes as soon as I can open a new thread.
da_jok3r said:
If you remove all the necessary files from the firmware G800h and act as a tester?
The processor also depends also support OTG? (Qualcomm - Exynos)
Click to expand...
Click to collapse
If you already rooted your G800H you could check which USB switch is built-into your device. Connect to your device via ssh or adb shell as root. Then connect an OTG cable (with a keyboard, mouse, ... plugged in) with your G800H. On the shell execute "dmesg" and search for lines with "OTG", "OTG DETECTED", "muic-sm5502", "muic" or "5502". If you have lines with "muic-sm5502" then at least you have the same USB-switch built-in. You can also put (parts of) the dmesg output in some pastebin and post the link here. Then I can have a quick look at it.
hennymcc said:
I already built a kernel with OTG support for the G800F. I will post the link and some notes as soon as I can open a new thread.
Click to expand...
Click to collapse
Awesome thanks! :0)
An instruction how to flash the OTG kernel image is here:
[KERNEL][G800F][exynos][G800FXXU1ANG1] USB-OTG enabled kernel
hennymcc said:
If you already rooted your G800H you could check which USB switch is built-into your device. Connect to your device via ssh or adb shell as root. Then connect an OTG cable (with a keyboard, mouse, ... plugged in) with your G800H. On the shell execute "dmesg" and search for lines with "OTG", "OTG DETECTED", "muic-sm5502", "muic" or "5502". If you have lines with "muic-sm5502" then at least you have the same USB-switch built-in. You can also put (parts of) the dmesg output in some pastebin and post the link here. Then I can have a quick look at it.
Click to expand...
Click to collapse
please see
There are references to the OTG
And here is the link to the OpenSource for g800h
http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=SM-G800H
hello, sorry for asking, but...
i have a g800f (normal s5mini) with firmware g800fxxu1ang7, no updates since start. i have flashed this firmware and rooted with cf. but i miss the otg-option, so what to do and what are the experiences so far?
can i flash your kernel to my handy or do i have to flash first a special firmware? do i lose my settings etc. and have to set up the handy after flashing again? what if i want to go "back" for e.g. i recognize that your kernel has some side effects that i dont want do?
sorry for asking, but im not sure about flashing, actually my handy works like a charm but i want to have the otg.feature. btw...if the otg is enabled after flashing what when the handy falls in to water? at usb-connector should now be 5volt which is sure not good in water..maybe this is the cause why samsung disabled it - or was ist maybe of the android 4.4. rules (heard otg should no longer be supported)
pls...lighten my darkness
thean9el said:
hello, sorry for asking, but...
i have a g800f (normal s5mini) with firmware g800fxxu1ang7, no updates since start. i have flashed this firmware and rooted with cf. but i miss the otg-option, so what to do and what are the experiences so far?
can i flash your kernel to my handy or do i have to flash first a special firmware? do i lose my settings etc. and have to set up the handy after flashing again? what if i want to go "back" for e.g. i recognize that your kernel has some side effects that i dont want do?
sorry for asking, but im not sure about flashing, actually my handy works like a charm but i want to have the otg.feature. btw...if the otg is enabled after flashing what when the handy falls in to water? at usb-connector should now be 5volt which is sure not good in water..maybe this is the cause why samsung disabled it - or was ist maybe of the android 4.4. rules (heard otg should no longer be supported)
pls...lighten my darkness
Click to expand...
Click to collapse
I want it toooooooo!!!!!!!!!!!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I wonder if anybody can test one of these OTG Y-cables without this patch and see if it works.
Perhaps they've only disabled the otg power out pins. It would make sense that they'd do that since we don't have the highly convenient port flaps unlike the s5. Without the flaps, the circuits would probably just bleed to death from short circuit or something.
Well, it works on the nexus where google disabled OTG
mahirh said:
I wonder if anybody can test one of these OTG Y-cables without this patch and see if it works.
Perhaps they've only disabled the otg power out pins. It would make sense that they'd do that since we don't have the highly convenient port flaps unlike the s5. Without the flaps, the circuits would probably just bleed to death from short circuit or something.
Well, it works on the nexus where google disabled OTG
Click to expand...
Click to collapse
You can try it - but it won't work. Without the patch the USB-OTG cable is detected by the kernel but the USB-host drivers are simply not loaded (because software support is deactivated).
In addition i don't know if such a cable will hurt the smartphone. I think I already used such a cable with my phone without damaging it but who knows (and you don't really need it because the phone powers the devices itself).
Related
I got a great deal on a used nexus and got everything but the USB cable. Is it possible for me to unlock my boot loader before I buy a cable for it?
ahronzombi said:
I got a great deal on a used nexus and got everything but the USB cable. Is it possible for me to unlock my boot loader before I buy a cable for it?
Click to expand...
Click to collapse
I'm pretty sure you can't.
However, I bought one of these for the office and it works fine:
http://www.amazon.com/BlackBerry-Cable-Micro-1-0m-Black/dp/B001QATRCA/
You need to put the ROM Zip to your SD card so you are pretty stuck. Dunno if you can use Bluetooth tho'. Unless you live far off aome electronic store like Radioshack, a cable shouldn't rip our wallet clean for cash.
But in reality you don't need to be hooked up on the cable when rooting and backing up your current ROM for that matter.
I'm also pretty sure this is impossible. You need to run command prompt commands, etc. a computer just has to be available - if there is a way though, I would love to be educated.
A micro USB cable shouldn't cost that much I guess..
Recovery and rom can be flashed from sd so he would only need to pull his sd and transfer the recovery and rom to it then put it back in his phone. The root could be done from an su terminal but of course you cant use it till you root, not sure how you get around that one. I dont use rom manager but if I recall rightly you have to be rooted to use it?
You have to run fastboot oem unlock using a USB cable to root, you need wifi to transfer things to the SD card using 'Discovery' which is a pain because the UI doesn't work right yet with the Nexus or 2.1.
wesbalmer said:
You have to run fastboot oem unlock using a USB cable to root, you need wifi to transfer things to the SD card using 'Discovery' which is a pain because the UI doesn't work right yet with the Nexus or 2.1.
Click to expand...
Click to collapse
Yeah, I think there is no way around the oem unlock without a cable.
As for transferring files over Wifi, check out this app:
http://www.cyrket.com/p/android/nextapp.websharing/
Pretty awesome.
http://www.monoprice.com/products/p...=10303&cs_id=1030307&p_id=5457&seq=1&format=2
3ft USB cable $2.90 shipped.
these are what I use, they work great.
I use monoprice for anything that involves a cable... HDMI, usb cables, even my car charger. They have one for $1.16 that pulls out 1000 instead of 500 like most of the cheap ones out there.
Again, can't oem unlock without USB
but you could always download the recovery straight to your phone, or just email it to yourself.
ahronzombi said:
I got a great deal on a used nexus and got everything but the USB cable. Is it possible for me to unlock my boot loader before I buy a cable for it?
Click to expand...
Click to collapse
As others have indicated, there's nothing special about the USB cable used by the N1 - It's a standard micro USB. I use my blackberry's micro USB as a backup cable at work.
Think about the other possibilities a USB cable gets you: The ability to charge your N1 using your computer!
what you can do is some of the newest computers/laptops carry a micro adapter like this you can take out your sd card from your phone and place it here and follow the process for rooting im not sure if this would work but u can give it a try
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You have to have fastboot CLI access to root, yes? I'm pretty sure this has been said before, but I'm 95% certain you MUST be connected via USB to root. I had to do this for both my Tilt and my Fuze, and I've toyed around with doing it on the N1 but haven't broken down and done it yet (don't want to lose the OTA updates lol), but it always required android sdk + phone in fastboot mode
MaximReapage said:
You have to have fastboot CLI access to root, yes? I'm pretty sure this has been said before, but I'm 95% certain you MUST be connected via USB to root. I had to do this for both my Tilt and my Fuze, and I've toyed around with doing it on the N1 but haven't broken down and done it yet (don't want to lose the OTA updates lol), but it always required android sdk + phone in fastboot mode
Click to expand...
Click to collapse
Right - Need the USB cable to perform the initial "fastboot oem unlock" to unlock the bootloader so that custom roms and/or a superboot img can be flashed.
Hi guys. Ralekdev, Rebellos and Myself have become quite good at hacking the extra roxor out of Samsung devices. We started with The UnBrickable Mod which now spans 15 total devices on the Samsung Galaxy S series. The UnBrickable Mod turned the Galaxy S into a development board. So we moved on to sucessfuly hacking the Qualcomm bootloaders on the Verizon Galaxy S3 and while our exploits for this device have not yet been needed, we have them ready to deploy on several devices and we've learned alot. Today we would like to present to you:
UnBrickable SD-The ultimate in Exynos Necromancy
The UnBrickable SD allows for total resurrection of an otherwise hard-bricked and dead device. It takes a device-specific SDCard, and a jumper to be placed across a tiny resistor. This triggers the device to silently boot at which point it will count to 10 and reload the device's bootloaders. This uses Samsung Official firmware unlike UnBrickable SD Mod (unreleased as of the time of this post) which allows for dual-booting of custom and official.
Why would I need this?
The processor has a small bit of ROM called IROM that tries to initialize the EMMC to load SBOOT. SBOOT then fully initializes the EMMC(Internal and soldered down MMC chip) where it pulls boot parameters, partition tables and all other information for the device to boot. if the SBOOT is damaged, the device will no longer boot and Odin/Factory modes are destroyed and the device is hard-bricked. This failed boot means the device cannot function and is locked up.
How does UnBrickable SD work?
The UnBrickable SD works because the processor is configured to attempt to load SBOOT from EMMC and then fail-over to SD, and finally UART. We've prepared an SDCard via the sdcard command in SBOOT below. By disabling the EMMC during the IROM sequence, this device will automatically fail-over to SDCard boot, check the signatures, see a valid image, and reload the SBOOT onto the EMMC thus enabling Odin.
Instructions
You will need:
The SDCard Image: http://d-h.st/KIV
The Partition Information Table(PIT file)
The Odin Firmware(Heimdall one-click coming soon) http://forum.xda-developers.com/showthread.php?t=2006138
Samsung Kies (for its drivers) http://www.samsung.com/us/kies/
Once you have the required tools, we can begin the procedure.
Create your UnBrickable SD.
Unzip the SDCard Image file from the zip.
Write it to an SDCard
Linux:
Code:
sudo dd if=GCAM-bootable-odin-from-sd-60mb-DDimg.img of=/dev/MYDEVICE
where MYDEVICE is the sdcard (usually SDB or SDC
Windows: use this tool https://launchpad.net/win32-image-writer/ . I'm not going to explain because I use Linux.
Disassemble the device
I've prepared this video which shows how to disassemble the device. You can stop after you remove the LCD. Just pull the EM shields off after that so you can access the resistor.
Insert the SDCard
If you need instructions, you should have stopped long ago
Short the EMMC Resistor
You can use a pair of tweezers or a piece of wire, really anything to conduct electricity from one side of the resistor to the other. Below you can see some needles connected by a piece of wire which I use to short this resistor.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Press the power button wait a couple of seconds and release the short
While booting, the device provides a 10 second countdown on the UART2 port. during this 10 second countdown, the EMMC needs to become enabled in order to write the bootloaders back to the device. The entire process takes 30 seconds and you will see nothing on the screen.
Flash with Odin
This procedure is the same as shown in the video below, however you will put the firmware from above in the PDA section instead of CF-AutoRoot and put the PIT from above into the PIT section
Conclusion
You have sucessfully restored your device to stock condition. Please hit the thanks button below this post.
Additional Resources
[R&D] Port SDCard Recovery to Other Exynos4412 Devices: http://forum.xda-developers.com/showthread.php?t=1986887
Would you like to see the UnBrickable SD on your Exynos4 device (GS2, GNote, Gnote2)? I need a working device and a broken device to develop and test.
So similar procedure will also work on Galaxy S3 ?
drraptor said:
So similar procedure will also work on Galaxy S3 ?
Click to expand...
Click to collapse
Yes. the same procedure will work on the S3. I'm also working on bringing this to other devices as well.
What kind of image do you use for restoring the device? Just the stock one? 'Cause I (think) I saw you using a Ubuntu image on the Nexus 7...
u mentioned in the post that 15 devices of galaxy s series support this unbrickable mod which are those 15 devices? is Samsung Galaxy S i9003 included in this list or support this unbrickable mod and does all the the devices have the same procedure to use the unbrickable mod?
mfsr98 said:
What kind of image do you use for restoring the device? Just the stock one? 'Cause I (think) I saw you using a Ubuntu image on the Nexus 7...
Click to expand...
Click to collapse
I made the image using the working device using a UART connection. It consists of an official, Samsung signed SBOOT image that reloads SBOOT onto the EMMC.
pratik_s said:
u mentioned in the post that 15 devices of galaxy s series support this unbrickable mod which are those 15 devices? is Samsung Galaxy S i9003 included in this list or support this unbrickable mod and does all the the devices have the same procedure to use the unbrickable mod?
Click to expand...
Click to collapse
Nope. We only support Samsung Processors. Not OMAP or even Qualcomm for that matter.
AdamOutler said:
I made the image using the working device using a UART connection. It consists of an official, Samsung signed SBOOT image that reloads SBOOT onto the EMMC.
Nope. We only support Samsung Processors. Not OMAP or even Qualcomm for that matter.
Click to expand...
Click to collapse
is there any chance of getting this mod for i9003 in future?
pratik_s said:
is there any chance of getting this mod for i9003 in future?
Click to expand...
Click to collapse
I'm not working on it and I have no plans to do so.
AdamOutler said:
Yes. the same procedure will work on the S3. I'm also working on bringing this to other devices as well.
Click to expand...
Click to collapse
Is it working on galaxy S 2 ?
Sent from my GT-I9100 using xda app-developers app
drraptor said:
Is it working on galaxy S 2 ?
Sent from my GT-I9100 using xda app-developers app
Click to expand...
Click to collapse
Nope. I need a device. read the inital post.
great
i had to use this method on my Mk1 Galaxy Tab, worked like a dream..
ill be honest it stretched my hardware altering skills to the limit, always goot to keep learning.
Now i just need to actually buy a Galaxy Camera.. suppose i should make sure its a good shooter first !!
Thanks for your endless skills Adam.
Awsome! But do i just put the GCAM-UnBrickable zip file on my sd card? but how will it work if i brick my SG3 and i cant turn anything on? im sorry if its a dumb question, but i dont understand lol
terminal 7 said:
i had to use this method on my Mk1 Galaxy Tab, worked like a dream..
ill be honest it stretched my hardware altering skills to the limit, always goot to keep learning.
Now i just need to actually buy a Galaxy Camera.. suppose i should make sure its a good shooter first !!
Thanks for your endless skills Adam.
Click to expand...
Click to collapse
Are you talking about UnBrickable Mod? This is a bit different. This is a temporary mod and uses SDCard instead of USB.
Guzup said:
Awsome! But do i just put the GCAM-UnBrickable zip file on my sd card? but how will it work if i brick my SG3 and i cant turn anything on? im sorry if its a dumb question, but i dont understand lol
Click to expand...
Click to collapse
follow the instructions. you need to image the card with the image file in the zip.
Hi Adam...
Thank you for your idea,,,,,
But,This is released for officially use samsung service centers.....So.I Think no news here
I Know Your Topic is for Exynos4412 But if you want,i can send you any other SW method for repair many phone witout jtag,
like P7500,P7510,P5100,P5110,P3xxx.,Also I9300 SD_Method....I9250,I9100G,I9020,I9023,etc
Anyway,Thanks for help other pepole
But,Possible for bad understand me? can you explain me for more detail..?
Thank you
(i have any phone in my shop,"work and dead",so if you want,just tell me),Also i'm Product Supporter of "RIFF-BOX"...So,I can check everyting(Possible and supported CPU) with Jtag,,,,
BABAK236 said:
Hi Adam...
Thank you for your idea,,,,,
But,This is released for officially use samsung service centers.....So.I Think no news here
I Know Your Topic is for Exynos4412 But if you want,i can send you any other SW method for repair many phone witout jtag,
like P7500,P7510,P5100,P5110,P3xxx.,Also I9300 SD_Method....I9250,I9100G,I9020,I9023,etc
Anyway,Thanks for help other pepole
But,Possible for bad understand me? can you explain me for more detail..?
Thank you
(i have any phone in my shop,"work and dead",so if you want,just tell me),Also i'm Product Supporter of "RIFF-BOX"...So,I can check everyting(Possible and supported CPU) with Jtag,,,,
Click to expand...
Click to collapse
This isn't i9020/9023, which I designed the UnBrickable Resurrector for repair. This is an undocumented procedure. This isn't NVFlash from those Tegra based devices. This isn't the i9250 and i9100 which use the OMAP specific tool. This isn't JTAG either, I have a box.
The most similar method was released for i9300 but the T-Flash method has never worked properly for myself or others. This is something which did not exist before the first post in this thread.
Keep this in your repair bookmarks for when you need it along side your Riff box. Riff takes 6 wires generally. Every one of the 16 solutions I've come up with has been 1 or less.
How do I image a sdcard? And If my device gets bricked I just pop the card in and power it on? when I image the card will it do something special to the card? Or can i still use it to store stuff on.
Sent from my GT-I9300 using xda premium
Guzup said:
How do I image a sdcard? And If my device gets bricked I just pop the card in and power it on? when I image the card will it do something special to the card? Or can i still use it to store stuff on.
Sent from my GT-I9300 using xda premium
Click to expand...
Click to collapse
Most of your questions are already answered in the OP. (commands, revive instructions etc.)
Can the sd still be used? No. There is ARM code and a boot image copied to the beginning of your SDCard. This procedure will destroy the file system metadata although, physically, all the files are still present but not accessable anymore.
@Adam
By disabling the EMMC during the IROM sequence, this device will automatically fail-over to SDCard boot
Click to expand...
Click to collapse
Is this what shorting the resistors actualy does?
We've prepared an SDCard via the sdcard command in SBOOT below
Click to expand...
Click to collapse
So the T-Flash Option in Odin basically uses this sdcard command to create the bootloader sd?
Hi Adam
I Want Just helping You.....
So,I think you don't need
Anyway,Thanks
theq86 said:
Is this what shorting the resistors actualy does?
So the T-Flash Option in Odin basically uses this sdcard command to create the bootloader sd?
Click to expand...
Click to collapse
Yes. Shorting the resistor disables the EMMC. The TFlash works differently.
This is different from TFlash. Using TFlash you insert a boot loader from your computer and flash it to the device with Odin. The TFlash is supposed to create a boot loader from an sboot.bin.tar.md5. It has problems and seems not to work... Like ever..
I know the first few posts said the mod will work on the s3.. but since the US versions don't have exynos, I have to ask will this work on the US versions? Including Verizon?
WARNING: This should be the VERY VERY VERY VERY (Am I clear enough about this?) LAST thing you do to try and fix a chromecast. This can possibly fry a chromecast for good, so know going into this that it may not work!
Because of this, Me, XDA, and all other users are NOT RESPONSIBLE for any damage, problems, or issues that may arise from using this method. By using this tutorial, you agree and understand the above warning.
So, I had a Chromecast that I got stuck in "backupsys" boot mode, where it would try to boot the backupsys partition. Issue is, it would not boot, and you can't force it to boot from jumpdrive while it is in "recovery" or "backupsys" mode.
Well after tearing the thing down and getting UART setup, I started messing around, and found a way to FORCE the device to read from USB, regardless to the bootmode.
How this works is during the boot process, you jump 2 select pins on the PCB by the CPU, which causes the device to have a block read error while reading the system flash. When this happens, the device falls back into USB read mode.
Because this causes a read interrupt, it "MAY" have unknown effects on the longevity of your device, so like I said before, this should be a LAST RESORT OPTION ONLY.
What You Need:
Chromecast with Rootable Bootloader
Paper Clip/Needle to jump some TINY pins
UART hooked up to your computer
Jump Drive with the Root Image & USB OTG Cable
Process:
Step 1: Tear down your device, and have it hooked up to UART on your computer.
Step 2: Have the USB OTG Cable and Jump Drive with the root image plugged into the chromecast. Do not have it plugged into power yet.
Step 3: On the top side of the chromecast (Not the side with the UART Pins), carefully remove the RF shield to reveal the WiFi Chip and CPU.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Step 4: Have putty open and connected to your UART COM port. Also have "reboot recovery" in your clipboard. (Copy that command so you can right-click in putty to send it quick)
Step 5: Now, prepare to jump pin #26 (shown in photo below, marked with red square on right side of CPU) when you plug in the chromecast to power it.
Step 6: Plug in the chromecast power, and watch the UART output. Once the Chromecast LED turns read, use the paper clip to short pin #26 and you should get the following outout:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v155 loaded from 0x00268000
Read failed @ 0x7814c000
ERROR: Failed to read CPU image ret -1
Booting from NAND failed, booting from USB....!
timer_clk_freq = 0x47868c0
USB: Register 10011 NbrPorts 1
USB EHCI 1.00
scanning bus for devices... 2 USB Device(s) found
scanning bus for storage devices... 1 Storage Device(s) found
If you do not see "Booting from NAND failed, booting from USB....!", unplug the chromecast, and try again.
Step 7: The chromecast will now try and boot the Jump Drive image. During this, there will be a root shell hiding under all the output. You need to QUICKLY and repeatedly press Enter until you see "/ # " flash on the screen. Once you see that flash, QUICKLY press right-click so putty pastes your clipboard, and then press enter. If you do this fast enough, the kernel will run "reboot recovery" and restart.
Step 8: The device will now try to boot the normal recovery partition. This is fine, because even if it fails, the bootloader will detect this and reset the device to normal boot mode after a few power cycles. After a few power cycles, the chromecast should eventually show the following over UART:
Code:
sys_init start. boot_strap=0x00000080 (source=NAND), boot_state=0x0
PG868: leakage=208 vcore=10 sysctl=59
Customer key found, loading customer key...
Loading Secure Customer Key Store is finished
Loading Secure Customer Key Store is finished
Finish loading Customer Key store
bootloader image verified, start...
eureka-b3 BG2CD [Jun 6 2013 12:07:51] ver:9086b04-dirty
OTP status=0x000000FF lkg curr=208 mA
nand_randomizer_init_by_flash_type(chip_id = 0x2C48044AA500): !!! RANDOMIZED !!!
[FASTLOGO] init.
[FASTLOGO] Set CPCB1 output reso 8.[SHOWLOGO] start
showlogo_init_irq, Enable IRQ_dHubIntrAvio0(0x20) for cpu 0
[FASTLOGO] done.
fts: v168 loaded from 0x0029c000
[SHOWLOGO] stopped
Boot normal GTV image
fts: record v169 commited @ 0x002a0000
Uncompressing Linux... done, booting the kernel.
And congrats, the device is now back to Normal Boot Mode! You can now hold the power button during power on to properly flash the rooted image, and your device should be good to go!
DEVS: If you want to help make this easier, can you make a USB image that just boots the kernel and stops at command line? Would make this process easier.
FAQ:
Q: Why do I need this? I can just hold down the button to boot from a Jump Drive.
A: This is true, but if a Chromecast is in any other boot mode besides normal, then it will be unable to boot from USB. This is just how the bootloader is coded. (I submitted a patch to google regarding this, even though it would never help us out thanks to the updated locked bootloader).
Q: Will this allow be to Downgrade/Root my device?
A: Answer is Probably not, even though this is untested. This is because the bootloader is still loading from the device, so it will still probably check the USB Drives image for a valid signature.
Q: I tried this, but my device still won't boot.
A: Well then there is probably not much else you can do, besides looking for a fix yourself. Remember, its a $35 dollar device so it may just be best to buy a new one.
Reserved
This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.
ddggttff3 said:
Reserved
Click to expand...
Click to collapse
Can you explain why you chose pin 26?
Thanks
zackoch said:
Can you explain why you chose pin 26?
Thanks
Click to expand...
Click to collapse
In all honesty, trial and error with a device I didn't think would ever work again.
EDIT: Also, getting very very lucky.
jamcar said:
This reminds me of what people did for the xbox 360 with the dual nand chips, or what Adam Outler did with the galaxy camera. He had a switch that would choose whether to boot the default eMMC or a SD card.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.
jamcar said:
In case anyone didn't pick on my meaning, it would be cool if we could use a switch to boot from USB or eMMC.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
technically this may be possible, but I am not a developer but don't quote me. The fact that we can load a kernel off a jump drive though should mean we have the ability to load and run a system image off of a jump drive.
I just got a second chromecast and am awaiting my USB OTG power cable, I do plan to root this one and work on seeing if my idea is possible.
Aaron Swartz, Rest in Pixels.
How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?
jamcar said:
How did you get the remainder of the shield off? I got the covers off but I can't get the shield off.
EDIT: I got it. Another question: do you leave your chromecast "naked" or?
Click to expand...
Click to collapse
You should put the RF shields back on after you do this modification, as they prevent interference and issues. During the dissection of my device though, I fully removed the shields (including the sides), so I have no choice but to run that one naked, but it is sitting on the side as I have another rooted chromecast I use for day to day usage.
Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app
rbeavers said:
Short pin 26 to Ground?
Sent from my XT897 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
To be more clear, you should jump both pins at point 26. I am planning on re-doing this thread now that flashcast is out, and can make this a hell of a lot easier.
Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB
Bad Bimr said:
Have not used my chromecast since I bought it, prob early August. Used it the first day and put it back in the box. Decided to play with it again and root it. Problem is as soon as you plug it into the TV it starts to update (have/had wifi off just in case). So I assume it downloaded the update way back when I first used it. Not sure if this update patches the root exploit or not and I don't want to find out. Will this method get make out of "update mode"? Anything else I can try? You mentioned Flashcast any way to use it?
Thanks
BB
Click to expand...
Click to collapse
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB
Bad Bimr said:
I've tried doing the root method posted here:
http://forum.xda-developers.com/showthread.php?t=2529903
When I connect the CS to the usb side of the OTG cable it flashs red and then white and that's it.
Might I be doing something wrong?
Thanks
BB
Click to expand...
Click to collapse
Is your device rootable? if it has taken any official google OTA yet, then the device will be unable to use or boot flashcast as google patched the root exploit.
Next time please try to keep questions to the relevant thread, thanks.
ddggttff3 said:
First off, any official OTA for the chomecast will patch the root exploit, so if that update goes through you will be unable to root your chromecast.
As for this method working for you, if you follow the jumping method as stated in OP, then yes, this method would force your chromecast to boot from the USB Cable.
As for using flashcast, thanks to tchebb's help, if you just boot flashcast 1.1.1 on a jumpdrive, it will automatically delete the OTA from the device, and reset the boot mode back to normal. So the need to use UART is no longer required!
Click to expand...
Click to collapse
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?
wptski said:
IIRC, in another thread it was stated that Flashcast made no changes to the Chromecast, it was just to setup the USB drive to flash the Chromcast and it was the Pwnedcast ROM that made the needed changes to prevent the OTA from taking place.
It's mentioned in this post:http://forum.xda-developers.com/showpost.php?p=46307051&postcount=124 or am I misunderstanding what you mean?
Click to expand...
Click to collapse
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.
ddggttff3 said:
That is correct, flashcast makes no changes, but it DOES reset the boot mode of the device back to normal. this is done to ensure that no device gets stuck in recovery mode forever, as well as deletes /cache/ota.zip so if a official google OTA is on the device, it gets deleted.
Click to expand...
Click to collapse
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?
wptski said:
Deleting /cache/ota.zip isn't considered a change? So, if ALL that is done to a 12072 build is to setup the Flashcast USB drive, it can't be updated by Google?
Click to expand...
Click to collapse
No, the device will still be able to update from google if flashcast is ran, flashcast just deletes any already downloaded OTA that has yet to be installed.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What is it?
FlashCast is a USB image that provides a standardized way to mod your Chromecast. Think of it like a recovery which runs off of a USB drive. No more struggling with the limitations of the GTVHacker image, which is hard to modify and can only flash the /system partition. FlashCast is based on shell scripts, so it you can use it to do anything you can do with a root shell. It also comes with a comprehensive suite of helper functions, so many tasks actually become much easier than they would be using a regular shell.
How do I use it?
If you prefer to follow a video tutorial, @ddggttff3 has made one here. Otherwise, read on for written instructions.
Preparation
Before you begin, you'll need some materials:
A Chromecast with a vulnerable bootloader. (For the bootloader to be vulnerable, the Chromecast must have never been connected to the internet and have a rootable serial number.)
The latest version of FlashCast (the download link is at the bottom of this post).
A USB drive (minimum size 256MB) which you are willing to have erased.
A powered Micro-USB OTG cable such as this one. (Alternatively, an unpowered USB hub and unpowered OTG cable can be used as shown here. I have not tested this method and cannot help you if your USB drive is not detected.)
Installation
Once you've gathered everything required, you can install FlashCast to your USB drive. To do so, you need to write the .bin file contained in the FlashCast .zip file you've downloaded to your drive. Simply using a file explorer to drag the .bin file to your USB drive is not correct and will not work. The specifics of doing a low-level write differ depending on OS, but, in general, Linux and OS X users should use dd and Windows users should use Win32DiskImager. This operation will erase your flash drive.
After you've written the .bin file to your USB drive, your computer will no longer recognize a filesystem on it. This is normal. In order for FlashCast to set up the drive's filesystem, you need to boot your Chromecast from the drive. To do this, perform the following steps:
Connect the male end of your Micro-USB OTG cable to your Chromecast.
Plug your USB drive into the USB-A female connector of the OTG cable.
Simultaneously hold the button on your Chromecast and connect the Micro-USB power connector to the female Micro-USB port of the OTG cable.
The power must be connected last. If it is not, your Chromecast may fail to detect the USB drive and boot up normally. If this happens, simply repeat the process, making sure to perform the steps in the correct order.
If FlashCast was copied correctly, you will see a red light on your Chromecast for approximately 9 seconds. It will then turn white and your TV will display a screen containing the FlashCast logo (shown at the top of this post) and various instructions. Once you see this screen, you may release the button. The screen will appear for another 9 seconds or so, after which your Chromecast will reboot on its own to the stock image. After it has rebooted (you may disconnect the power when it starts to boot into the stock image if you're worried about it updating), FlashCast is installed on your USB drive and ready for use. Your device is NOT rooted at this point and can still be updated by Google. To root, you need to flash a mod such as Team Eureka's Eureka-ROM. When you plug the drive into your computer, it should appear as an empty drive which you can copy files to.
Usage
FlashCast-compatible mods are distributed as .zip files. To flash a mod, simply copy it to the USB drive with the name eureka_image.zip. Do NOT use dd as you did in the previous section. If you do, you will have to repeat the whole process. Instead, just copy it onto the drive's filesystem as you would any other file. FlashCast is also capable of flashing a GTVHacker-style raw system image; if there are no native FlashCast mods present and the system image is in a file called Chromecast-Rooted-System-GTVHacker-cj_000-July27-635PM.bin, it will be flashed. This method of flashing is very inflexible and is not recommended.
How do I develop for it?
If you are interested in creating mods for FlashCast, please see the developer thread.
Who made it?
FlashCast is based on a generic Buildroot Linux image. Its mod framework was written entirely by me, but I couldn't have done it without the help of various individuals. Thanks, @cj_000, for helping me and putting up with my stupid questions in IRC. And thank you, @tvall, for releasing your update-free images so promptly up until now. Without those, FlashCast would have a much smaller potential user base.
Where do I get it?
Downloads and source code are available at FlashCast's GitHub repository. The latest version is currently v1.3.
Cool! First
Sent from my SCH-I605 using Tapatalk 4
Oh yeah, finally we can update kernels! Thanks for this, got some work to do now.
tchebb, awesome work. Your flasher seems so much more flexible than what we put out (but hell, we did it in 3 days), and it's never a problem to help out. In fact, we LOVE it when someone actually picks up on what we did and makes it so much better.
Can't wait to give it a try, once I get some free time!
CJ
vulnerable bootloader ?
How do I know if I have A Chromecast with a vulnerable bootloader ?
Looks super cool man, I am about to check it out and update my chromecasts now! Great work!!
just flashed over, working great. thanks so much!
stewwmann said:
How do I know if I have A Chromecast with a vulnerable bootloader ?
Click to expand...
Click to collapse
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
tchebb said:
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
Click to expand...
Click to collapse
I just got 2 units this week from Amazon and they have not been updated from the factory and thus, vulnerable.
tchebb said:
The initial software which the Chromecast shipped with, build 12072, had a vulnerable bootloader. In all following software versions (12840, 12940, and 13300), the vulnerability is patched and FlashCast can't be used. If your Chromecast has been allowed to access the internet, it will have updated itself and will not be vulnerable. If you have not set up your Chromecast and it still has the software from the factory, it may or may not be vulnerable, depending on when you bought it. To check, you can plug it in (but not set it up), and check its "Build" in the Chromecast app. Alternatively, you can simply try to boot FlashCast on it. If it's patched, nothing bad will happen; the USB drive will simply fail to boot.
Click to expand...
Click to collapse
damm, i have this 13300 version. and this will never happen or is there a way?
Updated 3 Chromecasts, thanks for the excellent work!
raydekok said:
damm, i have this 13300 version. and this will never happen or is there a way?
Click to expand...
Click to collapse
Currently there are no other known exploits.
ddggttff3 said:
Currently there are no other known exploits.
Click to expand...
Click to collapse
that is to bad. i'm hoping that it will not take to long.
raydekok said:
that is to bad. i'm hoping that it will not take to long.
Click to expand...
Click to collapse
@cammykool has been hoping that since Google forced 12840 upon him. He has given up hope.
I just finished using FlashCast on 2 ChromeCasts and everything went smooth and great! I could really see FlashCast evolving into a full blown recovery for ChromeCast!
I am thoroughly impressed with FlashCast, amazing work man, well done!
Hey guys, what's the purpose of this? Does it mean we can then use 3rd party developed apps? Apps that allow us to play local videos, etc.?
Thank You, Thank You very much....
Thanks for all the responses, I found a local Best Buy that has one, and I have put it on in store pickup for tomorrow. So if I do end up with one that has original fw, and am successful in installing flashcast, I can use the device as normal after that? no worries of it being locked back down? if we are not sure ,I just will continue using my updated one until then
stewwmann said:
Thanks for all the responses, I found a local Best Buy that has one, and I have put it on in store pickup for tomorrow. So if I do end up with one that has original fw, and am successful in installing flashcast, I can use the device as normal after that? no worries of it being locked back down? if we are not sure ,I just will continue using my updated one until then
Click to expand...
Click to collapse
If it comes with the original version, and you install an image that doesn't update, you can use it as normal and not worry about it being locked down.
cool
:good: *fingers crossed*
So if my Chromecast had been connected to my TV since release date I'm screwed huh
Sent from my Nexus 7 using Tapatalk 2
Dear XDA Users,
We’re happy to announce that fail0verflow, GTVHacker, and Team-Eureka have jointly discovered and exploited a new vulnerability in the Chromecast which allows root access on the current software build (17977) as well as new in box devices (proof).
Requirements
Chromecast Device
Teensy 2 or 2++
Teensy 2 - https://www.pjrc.com/store/teensy.html
Teensy 2++ - https://www.pjrc.com/store/teensypp.html
Teensy Loader - https://www.pjrc.com/teensy/loader.html
1GB+ Flashdrive
The files included in the zip
Instructions
Install the appropriate Teensy Root Package on your device.
If New In Box device, use 12940 otherwise use 16664.
Use plusplus_*.hex for 2++ model, regular_*.hex for 2 model
Using Win32DiskImager or dd, install the Flashcast Image to the 1G+ Flashdrive.
Plug in the Teensy to a USB OTG Cable, and plug it into the Chromecast while holding down the reset button.
The Teensy light should start flashing. If not, try the process again. After 30 seconds, it should go solid orange and the Chromecast LED sould turn white.
Unplug the Teensy, then plug in the flashdrive loaded with Flashcast into the OTG cable, and then press the Chromecast button again.
If you used the 12940 image, the LED should turn white. If you used the 16664 image, the LED should stay dim red.
After about 5 minutes, the Chromecast should reboot and your device should now be rooted!
Having Problems?
“I am using a USB hub with a OTG cable, why is it not working?”
This root method requires a powered OTG cable and will not work over a USB hub. This is because the teensy needs to be directly connected to the Chromecast to work and can not go over a USB hub.
“How can I tell if the root is running?”
If the Chromecast is plugged into a TV, you should see a Flashcast message telling you your device is being rooted. If you do not see this message, unplug the Chromecast and try again.
Created By
@fail0verflow
@gtvhacker
@Dev_Team_Eureka
Shoutouts
Google Inc. - Thanks for the awesome device, now add fastboot support
XDA-Developers - For being the home of Chromecast Development
Download
Exploit Demo: https://www.youtube.com/watch?v=S2K72qNv1_Q
Download: http://download.gtvhacker.com/file/chromecast/HubCap.zip
Source:
GitHub: https://github.com/axoltl/HubCap
Brilliant -- working through the steps now!
One bit of missing hardware that may seem obvious: you'll need a USB-to-MiniUSB cable to program the Teensy. It doesn't ship with one and it wasn't shown in the video. I had a spare, so I'm in business and will edit my post once I'm able to successfully flash my Chromecast, but it may need to be put down on the required parts list.
UPDATE: worked like a charm!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The rooted device was purchased from Amazon two days ago with Prime shipping. It's S/N begins 3C24***. I couldn't tell you how happy I am to have not missed root this time around.
Thanks again for all your work, guys!
Awesome, thanks! Downloading now and will update!
Edit: flawless victory! Rooted 2 CC, one new in box and the other on latest firmware. Great work! Can't wait to see the source to understand how the exploit took place.
Amazing! Thanks!
Yea! I have a rooted CCast....
Just a note for Windows users who use win32mage....the flashcast image doesn't show using the browse because it's a BIN not an IMG file...
Just remove the file filter to *.* to see the proper image to burn to the USB Jump Drive.
Congrats to the team!
Gonna get my teensy asap! CC unplugged until then. Thank you so much, team!!
is this persistent and does it block OTA's?
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
Not sure but one of the ones I just rooted was 37*** that was on the latest ota.
I used the 16664 with a 2++
Sent from my 831C using Tapatalk
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
Awesome! ill keep my chromecast off the Internets till i get the board :good:
they have it on adafruit which is where i got my pi and adruino stuff
ddggttff3 said:
The exploit should still work on the older 36** serial device with the 16664 hex file. Double check to make sure the firmware on it is 16664 or greater. You won't be able to SSH into the device unless the root flashcast image is running.
Click to expand...
Click to collapse
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.
Thanks!
Will this work with a Teensy 3.0?
mazzanet said:
Will this work with a Teensy 3.0?
Click to expand...
Click to collapse
Nope, only the Teensy 2 and Teensy++ 2 are supported (and there are separate images for both).
http://forum.xda-developers.com/showpost.php?p=54885650&postcount=9
Rooted one of my chromecasts. Thanks!
psouza4 said:
Hmm, had success on a shiny, new 3C*** serial, but my older 36*** won't root.
It just sits forever at a black screen. I have a Teensy++ and have tried both the plusplus_16664.hex boot code that worked for my 3C*** serial and the plusplus_12940.hex version. Both Chromecasts were on the same Google OTA build. Is it possible this exploit doesn't work on the 36*** serials?
I can't SSH to it, neither during the blank screen (which I let sit for 20+ minutes) nor upon rebooting (no root), so I can't give you the flashcast.log file, sorry.
Thoughts?
Click to expand...
Click to collapse
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
Asphyx said:
I found it difficult to power up the system and hold the CCast button down while doing it...
Figured out that if I POWER up the OTG cab;e and Teensy First it was much easier to hold the button and plug the CCast power in.
Try that....The Teensy should flash, if it doesn't reprogram it.
Make sure you use the Flashcast in the Hub release not the original found elsewhere on XDA
Click to expand...
Click to collapse
This is already resolved (posted above): I had forgotten to hit the button a second time for the flash drive payload.
psouza4 said:
I am an idiot and didn't press the button on the Chromecast the second time to initiate payload from the flash drive. This is TWICE I did it and forgot about it both times.
Thanks!
Click to expand...
Click to collapse
I often wish there was something like the Teensy loader to upload code to my own head so I wouldn't forget to do things! LOL!
i have a unopened 39xxxxxx
should i update it to 16664+ b4 rooting
don't know the version it comes with