Chromecast: Exploiting the Newest Device By Google.
Posted: July 28th, 2013 | Author: cj_000 | Filed under: Uncategorized | 10 Comments »
On Wednesday, July 24th Google launched the Chromecast. As soon as the source code hit we began our audit. Within a short period of time we had multiple items to look at for when our devices arrived. Then we received our Chromecasts the following day and were able to confirm that one of the bugs existed in the build Chromecast shipped with. From that point on we began building what you are now seeing as our public release package.
Exploit Package:
Our Chromecast exploit package will modify the system to spawn a root shell on port 23. This will allow researchers to better investigate the environment as well as give developers a chance to build and test software on their Chromecasts. For the normal user this release will probably be of no use, for the rest of the community this is just the first step in opening up what has just been a mysterious stick up to this point. We hope that following this release the community will have the tools they need to improve on the shortfalls of this device and make better use of the hardware.
Is it really ChromeOS?
No, it’s not. We had a lot of internal discussion on this, and have concluded that it’s more Android than ChromeOS. To be specific, it’s actually a modified Google TV release, but with all of the Bionic / Dalvik stripped out and replaced with a single binary for Chromecast. Since the Marvell DE3005 SOC running this is a single core variant of the 88DE3100, most of the Google TV code was reused. So, although it’s not going to let you install an APK or anything, its origins: the bootloader, kernel, init scripts, binaries, are all from the Google TV.
We are not ruling out the ability for this to become a Google TV “stick”.
Speaking of Google TV – if you are in Vegas for DEF CON 21, check out our talk – “Google TV: Or How I Learned to Stop Worrying and Exploit Secure Boot” this Friday August 2nd at 3PM in the Penn and Teller Theater! We’ve got secure boot exploits for the Google TV (unsigned kernels and roots anyone?) and more – don’t miss it!
How does the exploit work?
Lucky for us, Google was kind enough to GPL the bootloader source code for the device. So we can identify the exact flaw that allows us to boot the unsigned kernel. By holding down the single button, while powering the device, the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will.
ret = VerifyImage((unsigned int)k_buff, cpu_img_siz, (unsigned int)k_buff);
The example above shows the call made to verify the image, the value stored in ret is never actually verified to ensure that the call to “VerifyImage” succeeded. From that, we are able to execute our own kernel. Hilariously, this was harder to do than our initial analysis of exploitation suggested. This was due to the USB booted kernel needing extra modifications to allow us to modify /system as well as a few other tweaks.
We then built a custom ramdisk which, when started, began the process of modifying the system by performing the following steps:
- Mount the USB drive plugged in to the chromecast.
- Erase the /system partition (mtd3).
- Write the new custom system image.
- Reboot.
Note: /system is squashfs as opposed to normally seen EXT4/YAFFS2.
The system image installed from our package is a copy of the original with a modified /bin/clear_crash_counter binary. This binary was modified to perform its original action as well as spawn a telnet server as root.
After the above process, the only modification to the device is done to spawn a root shell. No update mitigations are performed which means that theoretically, an update could be pushed at any moment patching our exploit. Even with that knowledge, having an internal look at the device is priceless and we hope that the community will be able to leverage this bug in time.
Downloads and instructions for exploitation can be found on our wiki at: GTVHacker Wiki: Google Chromecast
Looking for help rooting your device or just want to ask us a question? Check out our Chromecast forum
Are you able to dump the original firmware?
Ultimately there are two hardware hacks I’d like to see on this thing: 1) Ability to use a wired network connection. 2) Separate audio output, preferably optical (TOLSINK).
Hello GTV Hacker,
Can you please link me to a usb powered cable, also is it micro usb or mini usb cable?
Thanks
@Adam Baxter The /system SquashFS partition of the firmware is in the download (dd if=gtvhacker-chromecast.bin of=out.squash skip=655 bs=16K)
I’m not sure how to dump the modified ramdisk or whether there exists a dump of the original ramdisk. (If there is, can someone please post it?)
The ultimate would be to get an image that could be booted on a Raspberry Pi and function as a Chromecast 😉
Would it be possible to package the Chromecast functionality as an Android app?
Would be cool for people in countries that do not have access to the Chromecast yet (and have a spare Android device with MHL or other HDMI connection laying around).
Do you guys think it would be possible to replace Nexus Q’s firmware with Cromecast’s? I still have that thing and if only it worked with Play Music…
Is it possible to install the Chromecast image to Logitech Revue?
so what are the chances for installing linux on it or xbmc
How did you get the CLI interface on the left monitor of the device? I saw on the wiki about the UART but it states that only logs the boot process. I saw typing on the CLI. How was that accomplished?
Thanks!