HubCap: pwning the ChromeCast pt. 2

The chain In the last post, I explained the bug that we used to get a foothold into the system, but we’re far from achieving what we want. We left off being able to overwrite anything before a particular buffer but because of caching behavior that didn’t get us all that far. Additionally, we don’t know exactly where we are in memory. I mentioned in the previous post that there’s a debug port on the Chromecast that prints out messages from the boot loader.

HubCap: pwning the ChromeCast pt. 1

In case you’re looking for the root, it was released a little while back: here The foothold I’d tell you all about what the Chromecast is, but I think Wikipedia has that part covered for me. For our purposes, all you need to know is that it’s an ARMv7 based device, has WiFi, an HDMI connector and a maintenance port in the form of a micro USB port.