Edgar Cervantes / Android Authority
TL;DR
- Security researchers have found a chain of exploits that allows the bootloader of the Chromecast with Google TV (HD) to be unlocked.
- Worryingly, this exploit chain allows the device to report a “safeguard” state to Android, meaning that potentially infected devices will not be recognized by the standard Android security mechanisms.
- Google has patched these exploits in the latest December 2023 update to Chromecast.
The Google Chromecast with Google TV is one of the better Android TV streaming boxes you can buy. Google sells two versions of the device: 4K and HD, and depending on your budget and needs, either is a good option for casting and mirroring. In the past, a bootloader unlock exploit was found for the 4K version that allowed users to run custom ROMs appreciate LineageOS. Now, a chain of exploits allows the HD version’s bootloader to be unlocked, opening the door to custom ROMs. What makes this even more interesting is that the exploits can possibly be applied to the 4K Chromecast with Google TV, all current Google Nest devices, and other smart speakers with an Amlogic SoC.
This new chain of exploits has been found by security researchers Nolen Johnson, Jan Altensen, and Ray Volpe. You can read the technical details of the exploit chain on DirectDefense’s blog. But to sum it up broadly, three major exploits are chained together to furnish bootloader-level code execution on the Chromecast with Google TV (HD) while reporting the device as “safeguard” from all internal checks.
These exploits target the Amlogic SoC on the Chromecast and can be theoretically applied to all Amlogic-based connected devices, including but not limited to:
- Chromecast with Google TV 4K
- Chromecast with Google TV HD
- All current Google Nest Hubs
- Nest Wi-Fi Pro
- Nest Cameras
- Nest Home Speakers
- Other Amlogic smart speakers and connected devices
How does the exploit work?
First, the boot process of the Chromecast with Google TV (HD) is interrupted by physically shorting the device’s eMMC (storage and storage controller). Then, an exploit abuses a check that Amlogic uses to sidestep verification on upgrades to bypass signature checks. The third exploit abuses the code that lets you boot into different modes (appreciate recovery and bootloader) to be reset on each boot.
Exploit CVEs used for this chain of exploits are:
- CVE-2023-48424
- CVE-2023-48425
- CVE-2023-6181
The result of all of this is that the Android OS on the device will not attain that the bootloader has been unlocked, and it will not wipe user data or perform any of its other security checks. Theoretically, with the help of these exploits, you could unlock the abovementioned devices, run custom ROMs and kernels, and more.
What is next?
So, how do I unlock my Chromecast’s bootloader, you ask? You will need to short the eMMC for the eMMC fault injection exploit to play out, which puts it out of achieve for many users.
Still, the exploit chain was recognized by Google to qualify for the Android and Google Devices Security Reward Program and was awarded a bug bounty. Resellers can theoretically use this exploit chain to sell infected devices that report as “safeguard” for all Android checks.
Google has published the fix for these exploits as part of the December 2023 update rolling out to Chromecast for Google TV (both 4K and HD versions). The update comes with anti-rollback protection, so if you installed the update, you cannot downgrade. It’s necessary from a security perspective, even if that hinders your ability to install a custom ROM on your Chromecast.