One thing it may allow is grabbing the private key it uses for Device Authentication and emulate a Chromecast on other devices. It would enable streaming from Chrome to anything using the Chromecast protocol. See [1]. I had a go at implementing the protocol server-side on node, so it's basically waiting for a valid cert. I couldn't test it much though it should work. See [2] and [3]. Any help welcome.
exploited a new vulnerability in the Chromecast which allows root access
Normally, vulnerabilities would be considered a bad thing. Heartbleed is a great example of that. But in cases like these, it's a very good thing. This is why I always like to remind those whose goal is to build more secure systems to consider the implications of their work, lest our devices become even more secure against us. They usually have in mind a world where everyone has full control of their devices which are then highly secure against attacks by others, and that's a good thing; but I think it's far more likely to turn into one where corporations have all the control and devices are secure against their owners, especially as typical users continue to choose security over freedom.
They could also decide to allow their devices to be unlocked in a secure way, instead of us having to rely on vulnerabilities, and then them having to fix them.
Devil's advocate: perhaps Google is taking a loss on the $35 device in exchange for user lock-in? I doubt the immense R&D behind building it would have been worth it otherwise.
I'm not arguing against unlimited freedom - just arguing against the expectation of unlimited freedom when all things are considered.
I'd say users choose convenience over freedom, the security is in the back of their minds. Make a more convenient but free phone and people will use it.
This. I'd say they care about freedom more-less as much as about security, i.e. not at all. They just choose more convenient over less convenient. And honestly, it's perfectly understandable.
Convenience is a big part of it, but I don't see freedom being marketed quite as much (if at all) as security - these days, the new version of a product almost always mentions "more secure" in its list of features, while "more freedom", when it appears, seems to read more like "you can now do new things with your device that you couldn't before", than "you can have more control over it."
Forcing screen resolution / changing aspect ratio is what I'd want. I've got my Chromecast connected to an ancient 4:3 TV and I'd love the Chromecast to support that, or to at least not pillarbox 4:3 Youtube content. Unfortunately there's no setting on my TV to change the aspect ratio, I have to do it on my devices.
(Yes, I know, I should just upgrade the TV, but in that case I probably wouldn't have bought the Chromecast.)
One thing which comes to mind is the DNS settings on the Chromecast can't be modified so being able to change them could help get around regional restrictions.
My understanding is that if you prevent Chromecast form reaching Google's DNS servers it will allow you to provide an alternate address. Haven't had a need to try that myself, though.
Does anybody know anything more than I about what this will enable (now)? Or is this just the first step of many in creating a hacker community around the Chromecast and software is to come? I've got one, and I'd love to make better use of it, or even help develop some stuff for it if it's that time :)
If I get around to it I am going to port a dashboard I built for the chromecast to act as the normal home screen.
The problem with how it works now is you would manually have to re-cast the dashboard when you turn it on, or after you were done casting anything else. I did that for the first day, but after that it just didn't really seem to be as worthwhile.
And the main benefit of that ROM seems to be that you can set an alternate DNS server to get around (some) forms of region controlling, as well as set your own application whitelist - not sure whats missing from the existing whitelist or what killer app you would root this for, but if I own the device, I should have total control over the device.
> if I own the device, I should have total control over the device.
I agree (mostly) with you, but I still want to prod at this because I think it's interesting.
I'm guessing you probably own a (recent) car, a microwave, etc. Do you have total control over these devices? If not, does it bother you as much as not having total control over the Chromecast? How are they different (or not) from a Chromecast? A phone? A computer?
I've completely disassembled and re-assembled my (not recent) winnebago diesel, including rebuilding the engine. Almost every part on that RV has been redone by me, because I wanted to, and I didn't have to resort to any sort of safecracking tactics to be able to do that. If microwaves were built on top of a general purpose computing platform, then yes, I would want root access to them.
The only reason that total control is not granted by default is that companies fear that they will no longer control their customer. I can understand in instances where safety or device damage may be an issue (like, no, I dont want root access to a tesla for example), but for consumer devices, I should not be forced to use apples store to add software to my phone. I should not be forced to use googles software to use their hardware either.
It's only a part answer, but people who are into cars certainly do screw around in a similar way, whether just to read diagnostics codes out or going full out and remapping the ECU for extra performance/efficiency/whatever they want. There are even hacks to change throttle response now.
My microwave, on the other hand, I'm not sure there's much else I want it to do that I'd consider reprogramming it for ;-)
Microwave... Just a wild idea off the top of my head: coupled with hardware hacks, like, some sort of IR pyrometer it could actually adapt output to maintain the food heated at specified level or just turn off when a certain temperature is reached.
A computer is a general purpose device. Your Chromecast is a computer that would be capable of much more than just streaming videos if it wasn't for the artificial limitation in its software.
Your car on the other hand has a pretty narrow application field. Your microwave too. Those are tools that perform their intended task as good as they can.
Now if there was a firmware switch limiting your microwave from performing its intended task to its fullest capabilities you probably would want to 'root' it too.
Not stupid at all; that should be the first question anyone asks. As far as I know, the Chromecast doesn't allow for discovering & streaming files via DLNA/UPnP. That feature alone is worth the rooting even if I "lost"[1] Netflix & Youtube support.
1. "Lost" is relative for a device that cost $35. I could just... buy another one.
Google charges money (to verify your identity I assume, it's quite cheap) if you wanted to make actual apps for chromecast, I assume you can sidestep that with this.
I made a transcoding proxy for Chromecast, for it to work, I'd have to piggyback the url-player (without selling my identity). I don't like stuff like that.
> Google charges money (to verify your identity I assume, it's quite cheap) if you wanted to make actual apps for chromecast
It's $5, but just FYI, you don't have to pay or register your app if you make a Default Media Receiver. You don't get on-TV UI, but that's probably fine if you're just transcoding and displaying video.
For the hacks of course. Chromecast is a nice device but it is just a Chrome browser. One istance is you can build a lightweight version of popcorn time and stream torrents to tv.
Anyone having a Chromecast and able to tell me what I'm missing? Currently I've got xbmc running on a Raspberry Pi. Connected via HDMI, online via wifi and I can stream more or less everything (videos, images, music) from my phone to that thing - not sure if there's a decent way to do that from my laptop running Linux.
Google wanted an Airplay competitor, and for whatever reason wanted to hobble it with the same restrictions as Airplay - a proprietary protocol to only let certain (closed source) programs stream to it, and prevent those programs from streaming to non-Google targets.
It's not "whatever reason". Google is in the content selling business now - which means they are going to add as much DRM and restrictions to their operating systems, browsers, and devices as possible, to either try to "protect it" (which I think we all know it never works), or to please their content suppliers.
This is not just a constant thing we're seeing either. Expect Google to become ever more restrictive and anti-piracy, as they delve deeper into the content selling business. The days of the "Open Google" are long gone now, and they're never coming back.
> and for whatever reason wanted to hobble it with the same restrictions as Airplay
They want to work with the big content companies. The end game might be ads on the chromecast served through Google with the stick is access to chromecast and the carrot is ad-optimization by Google and maybe blocking pirated content.
$35 and let's me use my phone as my remote for Netflix, HBO Go, and Hulu. Drop dead simple casting. Also it doesn't stream from the phone; it simply takes in commands so it might save your battery some.
What I like about Chromecast is that their integration is simply a small button added to other apps that I'm already familiar with.
For example, I use Netflix as normal but basically choose where the output should go. It's actually quite similar to Apple's AirPlay integration although the Chromecast has never had an issue (AirPlay always seemed to have latency issues).
Well, for starters this is decidedly and completely untrue.
But moreover, when your phone dies and you're using it as a remote at home, you likely have the charger right there are home too. When the AAAs in your dedicated remote die (though PERHAPS more infrequently) you need to go running around to see where you shoved that container of AAAs, find that they're all actually the dead ones, and then go to the store.
Perhaps? Why are we beating around the bush, does your remote battery die enough that you even have a concept of how long the battery lasts (I don't. Is it 6 months, a year, 2? No idea, too infrequent to expend brain-space on)?
Battery is only the second worst part about using a phone as a remote, the worst being that a phone is anti-social while watching television (on a television) is social.
My phone is the one device I know will always have battery, because it is important enough for me that I always charge it. It's also the one device I know I will always have near me.
What kind of geek doesn't have a USB charging port or two built in to (or close enough to) their couch? Couch charging has been the default for my wife for ages...
With certain apps they actually added a pretty nice function for this. Youtube is one in particular that can queue up videos on a Chromecast from multiple devices.
There's no need to downvote someone just because you disagree with them.
For my money, the best remote I ever used was the original TiVo. There's something a lot more haptic about a physical remote with real buttons. And I have yet to see a Chromecast remote app that's very good. Where's the dedicated "skip back 9 seconds" button? Or "turn close captioning on"? These are things I do all the time while watching shows.
Easiest way I have found to watch Netflix. Also it's pretty nice for renting movies. I used to rent from Amazon and play off my ps3, but I have started renting from google play and throwing it on the chromecast. I also like that frequent guests(girlfriend) to my house can use it without having to ask me.
It sounds like with your current set up a chromecast might only be slightly more convenient, so you might not be missing much.
For me the main selling point is the low price and not sure it makes sense if you have something setup to do most of it. I do use mine a ton for netflix, hulu (via tab casting) and arbitray media files via the videostream chrome extension/app from the webstore.
Hey - thanks for answering.
The price is about the same (and I have the Pi). So that's mostly an argument for 'why not' and 'you might waste $35, but nothing more'.
Netflix/Hulu - no user myself and I'm not sure if those services are available outside of the US/available in DE. Tab casting, as far as I understand that, is a Chrome feature. I'm a Firefox guy. Would I be able to do something useful with that device?
Right now it seems like it would be equivalent to the Pi w/ xbmc, in an arguably smaller/nicer package. I'm hoping for a killer feature that I haven't considered/noticed :)
I'm basically in the same situation as you. I already have Raspbmc set up on my Raspberry Pi, and see little reason to purchase a Chromecast. In my understanding, the "killer feature" is that it's supported by an increasingly large number of Android apps, which don't have support for casting to arbitrary UPnP targets as far as I'm aware.
Currently my main applications used by my chromecast are watchever (a service like netflix), twitch (using a third party app shame on me ;)) and youtube while I use the Pi mainly for "offline" media.
The most appealing feature of the chromecast is that it "just works" and I never had major problem with it (super easy setup, great integration into existing apps, turns on the tv once it is activated on my phone and so on). For me it delivers on the promises, which manufacturers of "smart TVs" made but failed to achieve in their products.
The real "feature" of the Chromecast isn't technical. It's the ecosystem and particularly the fact it "just works" and is built in and enabled by default on a large number of Android apps. So for example, my friend can come over to my house and fire up his Google Music and his phone automatically sees my Chromecast and he can play to it. Or movies, or photos or ... etc etc. You can get any number of devices that do this, but only the Chromecast is built in and enabled by default on every Android device (not sure what iOS status is ...).
I had one for two weeks and found it overly pointless and another chunk of ecosystem tie in so I gave it to a friend. It has been passed on already.
I reverted back to using foobar2000 on windows with the upnp plugin and my Sony DLNA capable TV for all local media (and a USB stick for mp3s rsync'ed with my laptop). Works fine. The TV does youtube, netflix, amazon video, iplayer etc already. This is a 3 year old Bravia EX unit worth about £100 now.
For me it's the convenience of being able to throw up various content from every device in the house (either via a dedicated app, or via chrome). It doesn't replace xbmc in any but when you want to e.g. play a youtube video, it's fantastically convenient for the low price.
It's greatly improved with XBMC 13.0+, which included a bunch of optimizations to make XBMC on the RPi more bearable. Go through the XBMC Raspberry Pi wiki page to turn off things that waste CPU (like the RSS ticker). It also helps to use rpi-config and select the modest overclocking option (the one that doesn't change any voltages). XBMC is very smooth after doing those things.
The only issue I still have is that the wifi dongle I attached to the RPi can only pull 10Mb/s. I hear this is due to lack of power provided by the RPi to its USB ports and that it can be mitigated by using a powered USB hub, but I haven't tried that yet. 10Mb/s is enough to stream SD and some HD, but not all HD. I've tweaked the buffering settings to make this a little more bearable but honestly I usually end up transcoding a lower-bitrate version for the RPi to stream, which is a pain without a UPnP server to do that transparently.
A USB install of Openelec on a Raspberry Pi overclocked to 'Super' (1000..) works well. Not as good as a more powerful system, but as far as the pi goes this is the fastest option.
I set it up on Raspbian, but I used the binary packages provided by [Michael Gorven](http://michael.gorven.za.net/raspberrypi/xbmc) instead of compiling from source as described by the Raspbian wiki.
Not super related to the rooting (which is awesome), but I have a Chromecast question:
I have a Chromecast and I love it, but the one thing I want to use it for that I haven't been able to figure out how is to show a dashboard at work. We have these giant TVs that are basically off all the time, except when there's a football game or something on, and I want to put up my stats dashboard for our app. Chromecast should theoretically make it easy for me to just stream the dashboard to the screen, but what I've found happens is that it goes to sleep after 10 minutes or so.
I don't want to spend hours and hours rooting around and figuring out application IDs and stuff. I just wanna click some buttons and have my dashboard show up and stay up all day. Are there any resources for that?
Is it just me, or is it odd that we rejoice when things like this happen? It just doesn't feel right to reward companies who release locked-down hardware. Don't get me wrong, I share in the excitement for a $35 XBMC capable android device. But on the other hand, it seems a better idea to spend money on a product that isn't locked down in the first place.
I haven't followed the Chromecast, but why is it locked in the first place!?
It's locked because they are selling it at a knock down price to tempt you into their eco system. As a consumer you are free to buy any of the SOC devices out on the market at the moment, of which there is a fantastic array, but they all cost more.
I think there's probably not a device with the same set of capabilities of the chromecast at the same price, but on the other hand the chromecast is missing features that you can have on other devices that cost more or less the same (take rPi or one of the thousands of android usb stick) e.g. being able to play avi/divx files (it supports h264 in mp4 and mkv) or audio tracks in ac3 or dts (it supports mp3, vorbis and aac) without transcoding, or use some android apps like p2p streaming apps (sopcast). So the problem is that you can some things really easily (e.g. netflix or sharing from phone) but you miss some other that somebody is looking for (e.g. use it a good mediaplayer having quite an old pc and phone that can't be used for transcoding sources).
I've found some of these here[1] but owning no chromecast I can't do any test by myself.
For those who don't know (as I didn't) XBMC[1] is an open-source media center/entertainment application that supports a variety of OSes, including Android. And, apparently, the project is going to be renamed "Kodi" in the near future.
It blows my mind that XBMC is still being developed, let alone relatively popular on several platforms. I used it pretty extensively on a modchipped Xbox ~10 years ago as my first real "streaming" box (i.e. to play pirated movies from my computer on my TV). Strange that they didn't drop the 'XB' from their moniker earlier.
Don't hold your breath on that one. XBMC is very resource demanding and the SoC on Chromecast is not only not documented but also very low on resources.
However, they might be able to grab the private keys from it and use them to build add Chromecast emulation to XBMC.
The biggest problem I've had with Chromecast was using it in a hotel that had wifi login pages.
The device is ideal for hotels since you usually get a nice HD TV in the room. But half the time I can't stream from Chromecast because of the wifi login.
A rooted Chromecast would essentially let me log in to the hotel wifi like I would on my laptop or phone. Then I can stream away.
I've solved this problem for Apple TVs by spoofing the device's MAC address on my laptop, using the laptop browser to accept the WiFi ads or login or whatever, and then resetting my laptop address and plugging the device in.
Is "browser posturing" a typo for something else? That term doesn't ring any bells and there are no google results, and I can't think of what you may have meant. Just using a cookie or something?
I carry a small travel router that I plug in to the wired network in hotels. I don't travel with my chromecast but I like that I don't have to login from my phone, tablet, Kindle and laptop. The chromecast would work in the same way and would also have the benefit of not announcing its presence to the entire hotel.
[1] https://github.com/thibauts/node-castv2/issues/2
[2] https://github.com/thibauts/node-castv2
[3] https://github.com/thibauts/node-castv2/blob/master/lib/serv...