GTVHacker yesterday announced an exploit package that will modify the system to spawn a root shell on port 23. "This will allow researchers to better investigate the environment as well as give developers a chance to build and test software on their Chromecasts," it wrote.
The Chromecast is a dongle that plugs into any HDTV to allow streaming video to be viewed on a larger screen. It includes a single core Marvell processor, 512MB RAM and 4GB storage. Google said the operating system is a modified version of ChromeOS: no it isn't, says GTVHacker, it's more Android than ChromeOS. "To be specific, it’s actually a modified Google TV release, but with all of the Bionic / Dalvik stripped out and replaced with a single binary for Chromecast."
What this means is that there is not a lot you can do with this hack – yet. There aren't even any apps for the Chromecast – but again, yet. On Saturday, Android Authority reported, "While poking around some of the Chromecast configuration files, the guys over at GTVHacker found something quite interesting. It seems that a lot of additional apps or receivers are being tested at this time."
Android Authority expects that Pandora, HBO Go, Washington Post, AOL On, Qello, Revision 3 and Songza all "might be coming soon."
The hack itself takes advantage of the loading procedure. "By holding down the single button, while powering the device," says GTVHacker, "the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will."
In reality it is more of a process exploit than a code hack. "No update mitigations are performed which means that theoretically, an update could be pushed at any moment patching our exploit." Nevertheless, suggests GTVHacker, "having an internal look at the device is priceless and we hope that the community will be able to leverage this bug in time."