Skip to main content

Patched Chromecast with Google TV exploit bypassed Android Verified Boot

Following this month’s updates to both the HD and 4K models of Chromecast with Google TV, a group of LineageOS developers have shared the details of a (now-patched) exploit that enabled rooting the dongle by entirely bypassing Android Verified Boot.

One of the goals of LineageOS, an independently developed Android ROM, is to support older Android devices longer than their original manufacturers choose to while also offering a cleaner, more customizable experience. Some devices, like Google’s Pixel series, allow owners to easily unlock the bootloader and install a ROM like LineageOS, but most others are locked and require some ingenuity.

Google’s pair of Chromecast with Google TV dongles fall into the latter camp despite the inclusion of an “OEM unlocking” switch when the newer HD model launched. Having previously found success in modding the Chromecast with Google TV (4K), LineageOS contributors Nolen Johnson and Jan Altensen, with assistance from Ray Volpe, turned their attention to the HD version.

Their findings have been published today and are well worth a read for the technically inclined. Johnson told 9to5Google that parts of the discovered exploit impacted all Google hardware powered by an Amlogic chip, not just the Chromecast with Google TV (HD).

Before we dig into the details, there are a few important things to note. First, the exploit was properly reported to Google and was patched in the most recent update. The company has also enabled “Anti-Rollback” protection to ensure Chromecasts can’t be made vulnerable again. So if you’re interested in modding your Chromecast with Google TV – which is a trickier process than simply running ADB commands – you’ll want to make sure that the update does not install.

Google is enforcing these protections due to the severity of the exploit. Typically, when one unlocks the bootloader to root/mod an Android device, a factory reset is enforced to protect your private data. By contrast, the exploit chain found by Johnson, Altensen, and Volpe is able to trick Android Verified Boot into thinking nothing has been modified, meaning it can gain root access without wiping your data. Suffice it to say this is a critical security and privacy flaw.

That said, there’s no need to be worried about an attacker using this particular exploit without your knowledge. Beyond the fact that Google has already rolled out a fix, the exploit (initially) requires physically modifying the hardware of the Chromecast. The process isn’t too in-depth for an individual wanting to mod their own gadgets, but it’s certainly too much for a would-be hacker.

If you’re not afraid of a bit of wiring and solder, the trio has offered some diagrams and instructions on how to attempt this mod for yourself. Meanwhile, the group is currently working on getting LineageOS running properly on the Chromecast with Google TV (HD), but it will likely still be a while before the ROM becomes formally available.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Kyle Bradshaw Kyle Bradshaw

Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and uncovering new features.

Got a tip or want to chat? Twitter or Email. Kyle@9to5mac.com

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications