This exploit lets you unlock the bootloader of the Google Chromecast with Google TV
Sadly, the process is a bit tricky
The Google Chromecast with Google TV is one of the best media streaming dongles out there. The little piece of hardware not only unlocks 4K video streaming at 60fps for connected devices, but it also brings support for HDR content, Dolby Vision, and Dolby Atmos audio. The device can even be considered a capable gaming console thanks to receiving official support for Google’s Stadia cloud gaming service. Now, developers have been able to successfully unlock its bootloader, opening up even more possibilities.
Unlike with the Pixel smartphone lineup, Google doesn’t offer an official bootloader unlock method for the Chromecast with Google TV. As a result, the modding community had to rely on security vulnerabilities to craft an unofficial bootloader unlock method. In a recent forum post, security researchers Nolen Johnson and Jan Altensen, AKA XDA Recognized Developers npjohnson and Stricted respectively, highlighted the exploit chain used to unlock the bootloader of the Google Chromecast with Google TV. The method, which makes use of a bootROM bug in the Amlogic SoC originally discovered by another security researcher by the name of Frederic Basse, requires you to boot the dongle to Amlogic’s USB burning mode and then boot a set of modified bootloader images.
To begin with, the target Chromecast with Google TV unit must be manufactured before December 2020 and the running firmware version needs to be below the February 2021 patch level. This is because newer units come with a bootROM password protection mechanism, and Google enabled a similar mitigation policy on older units in the February 2021 software update.
If your device is vulnerable, then you’ll have to unplug it from the HDMI port and trigger the Amlogic USB burning mode by holding down the button on the rear of the device while plugging the USB-C end of a USB-A to USB-C cable into the dongle. The unlocker script, which communicates with the target through the
libusb-dev library, requires a 64-bit Linux environment.
In a nutshell, the process involves downloading the unlocker suite, connecting the Google Chromecast with Google TV to a PC running Linux with a USB cable, and running a shell script that executes the exploit chain. Booting the modded bootloader essentially modifies the contents of the
/env partition and puts the device in a state where it’s capable of ignoring the anti-rollback check and the signature on the U-Boot in order to declare itself as bootloader-unlocked. For more details, you can read the full writeup from Nolen Johnson and Jan Altensen at the GitHub repo linked below.
An unlocked bootloader is key to boot an aftermarket operating system, and you won’t have to wait long before you can flash a custom ROM onto it. Johnson says that LineageOS builds are coming soon for the Chromecast with Google TV (Johnson is listed as a “trusted reviewer” and contributor to LineageOS). In case you want to try something else, then you’ll be happy to know that Frederic has already booted Ubuntu Linux from an external USB flash drive.
Since the process is a bit tricky and requires devices manufactured before a certain timeline, it’s safe to say that the exploit isn’t meant for beginners and will most definitely void the warranty. Nonetheless, it is possible re-lock the bootloader by flashing a stock firmware package crafted by the developers. As a precautionary measure against forced updates, you’re advised to block Google’s OTA servers via your router’s DNS settings, and if possible, get rid of the “SetupWraith” application from the stock firmware. Users are also advised to steer clear of Magisk for now, because patching the stock boot image with Magisk will soft-brick the system.