This page is for Google Chrome/Chrome OS bypasses
For Windows exploits, see Bypasser’s Windowskit
Most web-based exploits will work on other Chromium based browsers
proxy moment
Opens a proxy tab with about:blank cloaking.
Web-based exploit.
1: Make a bookmarklet with the link from xlak.github.io/alphabetic/ & run it.
2: Print the page (Ctrl+P), then cancel & click “try again”. A proxy tab will open.
os;App Diagnose WiFi Bypass
Requires an app
a p p.
Chrome OS-based exploit.
1: Disable WiFi.
2: Click "Sign in as Existing User".
3: Hold esc & click any app.
4: Click "Add WiFi" & click any WiFi.
5: Click "Diagnose" & go to WiFi.
6: Click "Open in Settings", then close it.
7: Repeat step 2.
proxy;bookmarklet;web;Browser Action Crasher
proxy moment
Opens a proxy tab with about:blank cloaking.
Web-based exploit.
1: Make a bookmarklet with the link from xlak.github.io/alphabetic/ & run it.
2: Print the page (Ctrl+P), then cancel & click “try again”. A proxy tab will open.
web;Buypass
Only lasts for 3 minutes.
Bypasses extensions for 3 minutes.
Web-based exploit.
1: Get the code from xlak.github.io/chaos/ & paste it in a new tab.
2: Inspect the page that loads.
3: Click on “Console” at the top & paste the script in.
4: When an inspect window pops up, paste the script in again.
os;powerwash;Corkey
Requires powerwash.
Your extensions get corrupted & don't work.
Chrome OS-based exploit.
1: Enter recovery page (Esc+Refresh+Power) or powerwash.
2: Log into your Chromebook & immediately turn off WiFi, then perform an instant restart (refresh+power).
3: Log back in & look for an option to log in as an existing user.
4: Go to chrome://extensions & turn on Wifi.
5: Wait for your school’s blocking extension to appear. As soon as it does, turn off Wifi & restart quickly.
6: Log back in, go back to extensions, & wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked.
web;Dextensify
Memory leak unavoidable.
Disables extension with a memory leak.
Web-based exploit.
1: Go to chrome://extensions.
2: In a new tab, go to the settings page of the extension you want to disable.
3: In another tab, go here & click the “freeze extension button”.
4: Immediately switch back to chrome://extensions & spam the “allow access to file URLs” for a few seconds.
5: The extension is now disabled. You need to flip the switch a few times every couple of minutes, & you may need to reopen the Dextensify page every once in a while to prevent an unavoidable memory leak from crashing the system.
web;goguardian;GoGuardian GoAway
1: Go *{display:none}"}]"> here.
2: Reload the page.
3: If you are left on an error screen, go to chrome://restart.
tablimit;goguardian;GuardianTabCrash
Requires tab limit.
Crashes the admin's ability to remove tabs, though they can still see your screen.
Web-based exploit.
1: Create a bookmarklet with this code.
2: Spam click the bookmarklet while holding Ctrl.
3: If you’re asked to close the page, click no & prevent the page from making additional dialogues.
web;bookmarklet;hapara;Hapara Focus Session Bypass
1: Create a bookmarklet with this full screen iframe "> code.
2: During a focus session, run the bookmarklet.
v112;os;Killcurly
Patched on Chrome OS 112+
Patched on Chrome OS 112+
Chrome OS-based exploit.
1: Go to chrome://settings/signOut.
2: Press the big blue button.
3: Go to chrome://restart.
4: Add your school account back.
v106;web;bookmarklet;Ingot
Patched on Chrome OS 106+
A menu to disable extensions & enable extension Dev Mode. The successor UI to LTBEEF.
Web-based exploit.
1: Make a bookmarklet with this code.
2: Go to https://chrome.google.com/webstorex & run the bookmarklet.
securely;web;INSECURELY
Patched on Securely versions above 2.98.55
A toggle that kills Securely using black magic.
Web-based exploit.
1: Go here & flip the switch.
hapara;v111;web;bookmarklet;LoMoH
Doesn’t work with Hapara Highlights & Read&Write; patched on Chrome OS 111+
Uses locked mode to disable extensions. Formerly called Locked Mode Hack.
Web-based exploit.
1: Create a bookmarklet with this code & run it.
web;LTMEAT
Methods using (B) & (C) are patched on Chrome OS 115+
Crashes an extension's manifest file.
Web-based exploit.
Note: LTMEAT disables all extensions, not just your blocker.
Template URL: chrome-extension://ID/manifest.json
Extension IDs (Chrome):
Blocksi: pgmjaihnmedpcdkjcgigocogcbffgkbn
ContentKeeper: jdogphakondfdmcanpapfahkdomaicfa
Cisco Umbrella: jcdhmojfecjfmbdpchihbeilohgnbdci
Fortiguard: igbgpehnbmhgdgjbhkkpedommgmfbeao
GoGuardian: haldlgldplgnggkjaafhelgiaglafanh
Hapara: kbohafcopfpigkjdimdcdgenlhkmhbnc
iBoss: kmffehbidlalibfeklaefnckpidbodff
LANSchool: baleiojnjpgeojohhhfbichcodgljmnj
Linewize: ddfbkhpmcdbciejenfcolaaiebnjcbfc
NetRef: khfdeghnhlpdfeenmdofgcbilkngngcp
Securly: joflmkccibkooplaeoinecjbmdebglab
Smoothwall: jbldkhfglmgeihlcaeliadhipokhocnm
If your blocker ID isn’t on this list, go to the extension page & copy the character string in the URL.
1: Take the Template URL & replace "ID" with the extension ID. This is the extension's manifest page.
2: Go to the extension’s manifest page & bookmark it (A), as well as chrome://kill (B) & chrome://hang (C).
3: While on (A), click on (B).
4: Instantly start spamming (C) & reload.
Switch Method
1: While on (A), click on (B).
2: Duplicate the tab.
3: Go to the extension’s settings page.
4: Flip the "Allow access to file URLs" switch.
Chat Method
1: Wait until your teacher opens the chat window.
2: Spam X until it stops opening.
3: Flip the “Allow access to file URLs” switch.
Temporary Method
1: Create a new bookmark folder (spam.js) & inside that folder, make 38 bookmarks of the page chrome-extension://id/background.js (you can do this easily with the bookmark manager).
2: Go to chrome://settings/performance & turn memory saver off. Under “Keep these sites always active”, add chrome-extension://id/background.js.
3: On a new tab, right click (spam.js) & click “open all (38)”. Repeat this step, then duplicate the rightmost page & go to your blocker’s extension page..
4: Flip the “Allow access to file URLs” switch & go to the leftmost tab. Right click it & select “Close tabs to the right”. Keep the remaining background.js tab open.
Skid Method
1: Go to (A) & click on (C).
2: Duplicate the tab (right click on it & click “duplicate”).
3: Go to your blocker’s extension page & flip the “Allow access to file URLs” switch.
WiFi Method
1: Go to your blocker's extension page.
2: Disable WiFi.
3: Spam the “Allow access to file URLs” switch.
4: Enable WiFi.
5: Spam pin your extension.
106;web;bookmarklet;Point-Blank
Might be patched on Chrome OS 106+
Allows you to execute scripts on the extensions page, as well as hard & soft disable extensions.
Web-based exploit.
1: Create a bookmarklet with the code from here.
2: Go to one of these pages:
3: Click on the blue link & run the bookmarklet in the newly opened tab.
bookmarklet;web;Quickview
Requires bookmarklets
Loads pages without extensions.
Web-based exploit.
1: Create a bookmarklet by dragging the box that says “Quickview Launcher” from here into the Bookmarks Bar.
2: On that same page, double click the opener.
3: On the newly opened tab, run the bookmarklet.
flags;web;Sidetracked
Requires flag access; only works on Chrome OS 106+
Uses the unblocked sidebar to browse the web.
Web-based exploit; Chrome OS exclusive.
1: Go to chrome://flags#search-web-in-side-panel & enable it, then restart.
2: Open the side panel & select “google.com” from the drop own list.
kiosk;SKIOVOX
Requires a kiosk app; Most methods patched on version 119
Opens a window inside of a kiosk app, which has different permissions & extensions.
Chrome OS-based exploit.
1: In the login screen, turn off your WiFi.
2: If you have a password, type it in but don’t press enter.
3: Click on a kiosk app & press Alt+Shift+S instantly.
4: Wait until you get a “network unavailable screen”.
5: On the toolbar, click accessibility & then the ?.
If you see a “back” button proceed to method A (steps 6-7). Otherwise go to method B (steps 8-10) or method C (11-13).
Method A:
6: Click “add other WiFi network” & immediately press Esc twice & Enter. If you get a screen saying “multi sign-in is disab;ed”, press Esc to bypass it.
7: There may be an open window belonging to your school profile, you can close it. In the window behind it that has no extensions, click the 3 dots & then click “new window”. Use this window instead. Go to steps 14+.
Method B:
8: Press the “diagnose” button.
9: Just click “add other WiFi network”. This is inconsistent, try a few times with a few apps or use steps 11-13.
10: Click Wi-Fi, then the settings link. Close this window to reveal a Chrome window. Go to steps 14+.
Method C:
11: Just click “add other WiFi network”.
12: Turn on text-to-speech (Ctrl+Alt+Z). Hold the Search key & press O, then T.
13: Click “resources” & one of the 3 links to open Chrome. Once your browser is open, you can turn text to speech off. Go to steps 14+.
14: This exploit has some problems that can be fixed by the Skiovox Helper. A ZIP file of the extension is available on the GitHub page as well as here.
15: Go to chrome://extensions & enable extension Dev Mode. Click “load unpacked” & in the select a file menu, right click the ZIP file you downloaded earlier, & click “extract all”. Select the newly extractedfolder to install the extension.
Other notes:
Problems without Skiovox Helper:
-Unclear how to add an account/install extensions.
-Keyboard shortcuts are broken.
-It’s hard to remove or resize windows.
-Can’t view battery percentage or time.
The main difference between the results of method A (steps 6-7) than method B (8-10) or method C (11-13) is method A can open multiple windows, while the others can’t.
If your screen keeps falling asleep every 5 seconds, try a different kiosk app.
Your files, bookmarks, & history won’t transfer over to the exploit & vice versa.
To exit the exploit, either hold down your power button & sign out or type chrome://quit in a new tab.
Unpatched Method
1: Do the main methods steps 1-4.
2: Click the cog in the brightness settings instead.
3: Click on one of the links in Chromevox's Resources tab (Ctrl+Alt+Z), then disable it.
4: Click "Sign in as existing user" & login. If you don't see this, try a different kiosk app.
5: Press Esc on the "Multi user sign in disabled on this Chromebook" screen.
6: Turn on WiFi & open a new window.
7: Go to main method steps 14+.
Note that any Incognito window is still monitored by your school.
web;extensionaccess;SOT
Requires extension access.
Uses OneTab & European witch magic to unblock websites.
Web-based exploit.
1: Download the OneTab extension.
2: Click the "import" button in the extension's settings tab.
3: Add the URL you wish to visit ~100 times, then click "import".
4: Spam click the top link, then either spam Esc on one of the opened tabs or wait for one to load on an about:blank page.
os;SWAB
Not finished
Access Google on the sign in screen.
Chrome OS-based exploit
1: Sign out.
2: If "Network Not Available" appears, click "Sign in with existing user".
3: Click "back".
4: TBF.
os;proxy;dnssettings;Swamp Launcher
Requires access to DNS settings
Connects you to a proxy server.
Chrome OS-based exploit.
1: Open the DNS settings.
2: Select "custom name servers" & set all of the boxes to 0.0.0.0.
3: Wait 5 seconds, then change them to 150.136.6.90.
4: In Google, go here.
5: Reload the page (Ctrl+Shift+R), then go here on the same tab.
6: Click on the big red triangle in the middle of the page & type "thisisunsafe". If you fail, reload the page & repeat this step.
7: Repeat step one & select "automatic name servers".
iboss;blocksi;web;bookmarklet;uBoss
Exclusive to iBoss & Blocksi
Tampers with iBoss.
Web-based exploit.
Requires screwdriver
Removes the admin lock.
Hardware-based exploit.
1: Turn your Chromebook off.
2: Unscrew the back cover.
3: Unplug the power cord connecting the battery & motherboard.
4: Hold the power button for 30 seconds.
5: Plug the power cord back in & screw the back cover on (or just leave it off you fucking psycho).
bookmarklet;Blank3r
about:blank
Allows you to run bookmarklets on privileged pages.
Web-based exploit.
1: Go to chrome://network#state.
2: Find the managed WiFi under "Favorite Networks".
3: Click the "+" & copy all the text.
4: Go here & paste the test into the bar, then click "Download".
5: Go to chrome://network#general & import the ONC file.
web;bookmarklet;ByeBlocker
1: Create a bookmarklet with this code & run it.
bookmarklet;Car Axle Client
Requires bookmarklets.
A menu with games, exploits, & bookmarklets.
Web-based exploit.
1: Make a bookmark with the code from here & run it on any page.
web;network;CAUB
Has to be done for each WiFI network; Chrome OS version 85+ required
Prevents your Chromebook from automatically updating.
Web-based exploit.
1: Go to chrome://network#state & scroll to the bottom.
2: Click the "+" by the name of the WiFi network.
3: Copy the whole page (Ctrl+A then Ctrl+C).
4: Go to caub.glitch.me & paste it into the text box.
5: Click "generate onc" & download the file.
6: Go to chrome://network#general & import the onc file.
1: Go to chrome://flags#show-metered-toggle & enable it.
2: Open Settings & go to Network >> Your WiFi >> Advanced >> Show metered toggle & turn it on.
os;powerwash;CRSH2TTY
N/A :0
Unenrolls your Chromebook, removing ALL restrictions. Works on every Chromebook.
Chrome OS-based exploit.
1: Powerwash on the login screen (Ctrl+Shift+Alt+R).
2: Proceed through setup.
3: When it starts to enroll, wait 1 second then restart (Power+Refresh)
4: When it starts to enroll again, wait 1 second then enter Recovery Mode (Esc+Refresh+Power) then power off.
5: Leave it off for at least 15 hours.
6: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Now that you're unenrolled, you won't have any kiosk apps. In order to get them back, you'll have to temporarily re-enroll your Chromebook.
This exploit was discovered by kelpseastem & Entrpix on GitHub.
v120;externalpc;externalstorage;Cryptosmite
Requires a storage device, another PC; patched on Chrome OS 120+
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 0, 1, or 2 your Chromebook is supported.
3: Downgrade to 118. If you're on a version before 118, stay on it.
4: Download an injected RMA Shim from here.
5: Flash the injected RMA Shim onto a USB device.
6: Enter Dev Mode (Ctrl+D).
7: Reenter Recovery Mode & plug in the storage device.
8: Run cryptosmite.sh in the injected shim.
9: In the "edit stateful bash" screen's bash prompt, run "tar -xvf /mnt/shim_stateful/stateful.tar.xz -C /mnt/stateful" & then "exit". The system will reboot into Verified Mode.
10: Click "Ok" in the oobe screen.
11: At the "Who would you like to add to this Chromebook?" screen, enable Dev Mode.
You can skip the wait by entering Recovery Mode & booting into the shim on the "Dev Mode is enabled" screen, then selecting the bash shell & running "mkfs.ext4 /dev/mmcblk0p1 -F", "mount -0 loop, rw /dev/mmcblk0p1 /tmp", "touch /tmp/.developer_mode", "umount /tmp && sync" & "Reboot". Add this as a bash script so you don't have to run these commands every time. On "enrollment" branch shims, this script is already included.
12: After enabling Dev Mode, press Ctrl+Alt+F2 quickly after you boot.
13: Type "Root", "vpd -i RW_VPD -s check_enrollment=0", & "cryptohome --action+remove_firmware_management_parameters". If you don't get the timing right, powerwash & try again.
After unenrolling, you can use KVS, which allows for use of newer versions of Chrome OS & more exploits.
extensionaccess;os;recoverymode;externalstorageDowngration
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 0 or 1, your Chromebook can downgrade to any version. Otherwise, it's limited.
Minimum versions:
0/1: N/A
2: 112
3: 120 (121 on some boards)
4: 125
3: Go to chrome://version & check your board (under platform).
4: Go to chrome100.dev & find your board (use Ctrl+F) or find the bins here.
5: Download the version of Chrome OS you want.
6: Install the Chromebook Recovery Utility extension & run it.
7: Plug in the storage device & follow the instructions.
8: On your Chromebook, enter Recovery Mode (Esc+Reload+Power) & follow the prompts.
9: Skip the "Checking for Updates" screen by pressing Ctrl+Shift+E.
os;recoverymode;externalstorage;E-Halcyon
Requires a storage device; data doesn't save; patched on Kernver 4
Boots into an unenrolled Chrome OS environment.
Chrome OS-based exploit.
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4, your Chromebook is unsupported.
3: Unenroll your Chromebook.
4: Download a Chrome OS version 107 bin from chrome100.dev or from here.
A: Open a terminal & run "git clone https://github.com/MercuryWorkshop/RecoMod", "cd RecoMod", "chmod +x recomod.sh", & "sudo ./recomod.sh -i /path/to/recovery/image.bin --halcyon --rw_legacy".
5: Flash the bin file onto a storage device.
6: Enter Recovery Mode (Esc+Refresh+Power) & plug in the storage device.
7: Spam E until you get a 5 minute wait sequence, then spam E again near the end of it.
8: Navigate to "activate halycon enviroment" & press enter, then navigate to "install halycon semi-tethered". Navigate back to "activate halycon envirement" & select "Boot halycon semi-tethered".
You can no longer boot Chrome OS normally, & will have to use the storage device every time.
web;bookmarklet;Extension Launcher
Doesn’t work with blocklist/banlist
Installs an extension without using the webstore.
Web-based exploit.
1: Make a bookmarklet with the code from here.
2: Go here & run the bookmarklet.
3: Find an extension you want to download.
4: Right-click the image to the left of the title & select "Copy image address". Paste the image address into the first bar.
5: Type the name of the extension into the second bar.
6: Copy the extension ID (string of random letters in the address bar). Paste it into the third bar.
7: Click "Download".
Visit the Extension Information page for information on some extensions.
os;recoverymode;KVS
Only works on unenrolled Chromebooks; requires a storage device; patched on Kernver 4
Switches your kernver.
Chrome OS-based exploit.
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4, your Chromebook is unsupported.
3: Download a KVS bin from here.
4: Flash it onto a storage device.
5: Enter Dev Mode.
6: Reenter Recovery Mode.
7: Follow the instructions on-screen.
powerwash;os;Revertion
Requires powerwash; untested
Reverts Chrome OS back to its previous version.
Chrome OS-based exploit.
1: Powerwash your Chromebook.
2: On the OOBE screen, press Ctrl+Shift+Alt+R twice.
3: Click "Powerwash & Revert".
web;Search Filter Bypass
doesn't do shit
Works around the set blocked pages.
Web-based "exploit".
1: Type what you want to search in the address bar & add enough bullshit, then press enter.
externalpc;externalstorage;os;SH1MMER SH1MMER Legacy
Requires 1 storage device, another PC; no UI; patched on Kernver 4
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4, your Chromebook is unsupported.
3: Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
4: Download your board's RMA Shim at chrome100.dev & then inject the bin at Wax4Web or download an injected bin from here.
5: On another PC, download & run the Chromebook Recovery Utility extension or dd on Linux, using a local image.
6: Enter Recovery Mode (Esc+Refresh+Power when booting), then press Ctrl+D & then enter.
7: Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
8: Play some Tetris. This is legally required.
9: Press "S" for Cyrptosmite. The decryption key is "Info-58-immense!NickName_Arabia-710".
10: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
SH1MMER Modern
Requires 1 storage device, another PC; incompatible with Hanna/Coral boards; patched on Kernver 4
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4, your Chromebook is unsupported.
3: Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
4: Download your board's RMA Shim at chrome100.dev & then inject the bin at the SH1MMER Web Builder or download an injected bin from here.
5: On another PC, download & run the Chromebook Recovery Utility extension or dd on Linux, using a local image.
6: Enter Recovery Mode (Esc+Refresh+Power when booting), then press Ctrl+D & then enter.
7: Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
8: Navigate the UI & select what option you want.
9: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
The fog...
Google has "patched" SH1MMER Modern on Chromebooks that have been on version 112+. However, there are extra steps to get it to work properly, as seen below.
Screwdriver Unfog
Requires screwdriver; Dev Mode; Chromebook on version 113 or lower.
1: Use the Admin Lock Bypass above, but don't insert the battery.
2: Enter Dev Mode & boot into SH1MMER.
3: Go into Bash Shell by using "Open Bash", then run "/usr/share/vboot/bin/set_gbb_flags.sh 0x8090". After using this command, DON'T use "Reset GBB Flags".
4: Exit SH1MMER & turn off your Chromebook. Unplug the charger, reconnect the battery, & then reconnect the charger.
5: Enter Dev Mode, then powerwash the Chromebook (Ctrl+Alt+Shift+R), then immediately enter the Chrome OS shell with Ctrl+Alt+F2+Enter.
6: Log into the user as root, then run "tpm_manager_client take_ownership" & "cryptohome --action=remove_firmware_management_parameters". If it fails, downgrade to version 110 or use E-Halycon instead.
7: Exit with Ctrl+Alt+F1+Backspace, then powerwash again. If you want to change version, continue.
8: Repeat steps 1-3, running these commands instead: "/usr/share/vboot/bin/set_gbb_flags.sh 0x8090", "tpm_manager_client take_ownership", & "chromeos-tpm-recovery". If it doesn't work, run "flashrom --wp-disable" & restart.
9: Repeat step 4. You can now install any Chrome OS version. If you get an error again, repeat steps 8-9.
Now that you're unenrolled, you won't have any kiosk apps. In order to get them back, you'll have to temporarily re-enroll your Chromebook.
1: Enter Dev Mode, then press Esc+Power+Reload then Ctrl+D & then enter.
2: If you get a screen that says "You're already in Dev Mode", skip it by pressing Ctrl+D again.
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R). If you just entered Dev Mode, you can skip this step.
4: Once you enter the WiFI password, click the "Enterprise Enrollment" button & sign in with your school account.
5: Once you're on the normal district login screen, press Ctrl+Alt+F2.
6: Type "root" as the login & "test0000" as the password if needed.
7: Run the command "vpd -i RW_VPD -s check_enrollment=0", then press Ctrl+Alt+F1.
8: Open the kiosk app.
9: Once you're done, reboot your computer with Power+Refresh, then follow the instructions.
os;externalstorage;externalpc;x86;devmode;Shimboot
Requires storage device, another PC, x86-based Chromebook; Dev Mode required (see here)
Allows you to boot into Linux or Chrome OS without modifying your Chromebook.
Chrome OS-based exploit.
1: Find your Chromebook’s board name by going to chrome://version, it will be behind “stable-channel”.
2: Get your Chromebook’s RMA shim from chrome100.dev or download a prebuilt one here.
A: Clone the https://github.com/ading2210/shimboot repository.
3: Flash the shimboot image to a USB drive or SD card. Use the Chromebook Recovery Utility or dd if you're on Linux.
4: Enable Dev Mode & then Recovery Mode (Esc+Refresh+Power when booting).
5: Boot into Debian & log in. The default is user/user.
6: Expand the rootfs partition so that it fills up the entire disk by running "sudo growpart /dev/sdX 4" (replacing sdX with the block device corresponding to your disk) to expand the partition, then run "sudo resize2fs /dev/sdX4" to expand the filesystem.
devmode;web;Skebstore
Requires extension Developer Mode
An extension that allows you to download other extension.
Web-based exploit.
1: Download the folder from the GitHub page or here.
2: Go to chrome://extensions & enable extension Developer Mode.
3: Click "Load unpacked" & select the folder (unzip it if needed).
4: Click the extension to go to the Skebstore install page.
5: Insert the extension you want to download's ID & download it.
web;snapandread;Snap&Run
2: Enable the Snap&Read toolbar.
3: Enter any text into the outline topic's editable text area.
4: Click the bullet point of the topic.
5: Click the "Link to Source" option.
6: Click the "+" button at the bottom right.
7: Switch to the website tab.
8: In the Article/Page title input field, enter the name of your chosen bookmarklet.
9: Click "Save" & switch to the outline tab.
10: In the Snap&Read toolbar, click the "Hide Outlines" button.
Execution:
11: In the Snap&Read toolbar, click the "Show Outlines" button.
12: In your created outline, click the link separated by parenthesis that contains the bookmarklet.
13: Click the "Hide Outlines" button.
web;sourcecodeview;Source View
Requires the ability to view a page’s source code
Reconstructs a web page from its source code.
Web-based "exploit".
1: Go to a website & view its source code with Ctrl+U or by using the View Source bookmarklet.
2: Copy everything from the newly opened tab & paste it in a site like this. devmode;usb;USBoot
Requires Dev Mode
Allows you to boot from a USB device.
1: Enabble Dev Mode (Esc+Power+Refresh).
2: After selecting "boot from internal disk", press Ctrl+Alt+F2.
3: Type "sudo crossystem dev_boot_usb=1".
Press "Ctrl+U" on the OS Verification screen to boot from USB.
ublockorigin;web;uRun
uBlock Origin exclusive
Unblocks bookmarklets. Updated version of uBlock Run.
Web-based exploit.
1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it to "https://inglan2.github.io/uRun/urun.js".
3: Go to the “My filters” tab & add a line with “*##+js(urun.js)”, then run the code on the current page (Ctrl+Alt+~).
Press "Ctrl+Shift+`" to open the menu, where you can run & create scripts. To add a script, click the ➕ button & enter the code without the "javascript:" part.
os;web;Wi-Password Export
Only works with connected networks; only works on Chrome OS
Gives the passwords to connected WiFi networks from a net log file.
Web-based exploit.
1: Go to chrome://net-export.
2: Select "Include raw bytes" & start logging to disk.
3: Go to chrome://policy.
4: Click "Reload policies".
5: Go back to chrome://net-export & stop logging.
6: Go here or open this HTML file & upload the log file.
Crosh devmode;CroshFi
Requires Devmode
Gives you the password to a WiFi network.
1: Enter Devmode & open Crosh (Ctrl+Alt+T).
2: Run the commands "shell", "sudo su", & "cd home/root", then type "ls" & copy the middle code string.
3: Run the command "cd [code string here]" & type "ls" again. Enter "more shill/shill.profile".
4: Enter "more shill/shill.profile".
5: Eventually, you’ll see a username appear. Scroll up in Crosh until you see the SSID (network ID). Copy the passphrase code (below the SSID & after the colon).
6: Run the command "echo [passphrase] | tr ‘!-~’ ‘P-~!-O’."
v101;De-roll
Patched on Chrome OS 101+
Unenrolls your Chromebook using Crosh.
Unenroll:
1: Open Crosh (Ctrl+Alt+T).
2: Run "set_cellular_ppp \';dbus-send${IFS}--system${IFS}--print-reply${IFS}--dest=org.chromium.SessionManager${IFS}/org/chromium/SessionManager${IFS}org.chromium.SessionManagerInterface.ClearForcedReEnrollmentVpd;exit;\'"
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R).
4: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Re-enroll:
1: Open a bash shell & run "sudo -i", "vpd -i RW_VPD -s check_enrollment=1", "echo "fast safe" > /mnt/stateful_partition/factory_install_reset", & "reboot".
unenrollment;v117;Fakemurk
Requires unenrollment; patched on version 117+; patched on Kernver 4
Allows you to have Dev Mode permissions while in Safe Mode.
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4, your Chromebook is unsupported.
3: Unenroll your device.
4: Enter Dev Mode.
5: Install RW_LEGACY bios from here.
6: Open Crosh (Ctrl+Alt+T) & run the commands “sudo -i” & “bash <(curl -SLk https://github.com/MercuryWorkshop/fakemurk/releases/latest/download/fakemurk.sh)”. Follow everything it says. If you get an error about a filesystem being readonly, run “fsck -f $(rootdev)” & reboot.
7: Enter Devmode with Ctrl+D, then press Refresh+Power & then press space on the OS verification screen. You will be on a “Chrome OS is missing or damaged” screen. Press Esc+Refresh+Power then Ctrl+D & enter. When you get back to the OS verification screen, press Ctrl+D to boot.
Don't use the sign out button as it will freeze your computer. Use Power+Refresh or Reboot in Crosh instead.
Mush will be installed with Fakemurk.
While Fakemurk is installed, you can make a folder called “disable-extensions” to disable extensions.
powerwash;OP Crosh
Requires powerwash
Deletes the extensions.
1: Open Crosh (Ctrl+Alt+T) & run the “vmc” command. If you get a list of subcommands, then continue.
2: Powerwash then sign in & disable WiFi immediately.
3: Go to chrome://extensions & enable your internet, then immediately disable it when an extension is installed.
4: Open Crosh & for each extension you want to disable, run the command “vmc create-extra-disk --size 1 /home/chronos/user/Extensions/{extensionID}” or run "Open Crosh & type “vmc create-extra-disk --size 1 /home/chronos/user/Extensions”" to disable all.
5: Reenable WiFi.
devmode;os;Pollen
Requires Dev Mode
Changes your Chromebook's policy.
Chrome OS-based exploit.
1: Enter Dev Mode (Esc+Power+Refresh) & open Crosh (Ctrl+Alt+T).
2: Run the following commands: “shell”, “sudo su”, & “curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash”.
3: If the policy doesn’t apply, press Alt+Vol Up+X.
Created by The Wagonization, consisting of JackWagon885
All credit goes to the respective owners. I only compile them in a list.
Fuck you Google