The BR1CK exploit takes advantage of an oversight while creating FWMP in the TPM (Trusted Platform Module). It is capable of unenrolling all devices without platform FWMP (Firmware Management Parameters).

How it Works

The exploit works because of an issue that these Chromebooks have when enrolling. If you EC (Embedded Controller) reset^[1] ↻+⏻ at just the right time, it will interupt the creation process and leave you with a blank FWMP. This bricks because its unexpected for firmware management parameters to exist but have no value. ^[2] This state of no FWMP means we can unenroll since we aren't under it's control^[3]. This allows us to boot into SH1MMER, unenroll the device, and fix the brick with gsctool -a -o

Discovery

While trying to do CRSH2TTY^[1], I ended up bricking my device multiple times (a total of four). One time, I randomly tried to disable write protection while unbricking with a SuzyQ (debug cable), and surprisingly, it worked! This led to the discovery that FWMP doesn't apply while FWMP is corrupted. This functionality is stored in the read-only firmware, which means Google would have to produce updated Chromebooks with the fix to stop this.
All of my exploits have been made due to CRSH2TTY in some way.
1. CRSH2TTY was a (now patched) unenrollment exploit that required resetting at specific times, similar to BR1CK

Performing the Exploit

Backup anything that is not synced to your Google Account (mainly important files).

It is a good idea to read these instructions on another device like a phone, you will not be able to access this guide on the Chromebook you are using to perform the exploit.

[RECOMMENDED] For users with chrome://network#logs (can't be policy blocked, can't use oobescape)
1. Go to the section below this one (finding the reset times), go through the process, and memorize the time it gives you, then continue
2. Powerwash the Chromebook again by signing out, pressing Ctrl+Alt+Shift+R
3. Proceed through the setup, when "Getting device ready" pops up, get a stopwatch ready and wait for the next "Enterprise enrollment" screen.
4. When "Enterprise enrollment" pops up, start your stopwatch.
5. Wait until you're in the ranges of time (I would go for the higher end) the file uploader gave you, perform an EC-Reset by ↻+⏻.
6. If chrome turns back on and you get one of the following screens, proceed, otherwise, keep trying (this may take ages but most people can get it in 2-20 tries)

if you click tab on either of these, under recovery reason it should say something about an error in the TPM (Trusted Platform Module).
7. Once bricked, get a shim (this guide will be using legacy, view arrow for more information)

To flash a shim you will need a secondary computer or a different way to connect a USB drive to a device (yes there are mobile methods if you have the correct connector)
1. Head to the link above (https://dl.darkn.bio/SH1mmer/Prebuilt/Legacy)
2. Download the shim corresponding to your board
Now here's the hard part, flashing
4. Use one of the following pieces of flashing software:
CRU Extension
Rufus
BalenaEtcher
(if your on Linux you can also use dd)

This guide will use the CRU Extension.
5. Open the CRU Extension and click the setting icon in the top right
6. Select the option containing "Local file"
7. Select your shim in the file manager
8. Select your USB drive
9. Wait for it to finish flashing, when it's done you can take it out and continue

If you don't know your board name and still went on with these steps, you can look it up by entering the board's model name at the bottom on a website like cros.tech
8. Press ESC + ↻ + ⏻ then click CTRL + D, then enter to enable developer mode (It doesn't matter if it is blocked), and then ESC + ↻ + ⏻ to enter recovery mode.
9. Plug in your shimmed USB drive
If you get a screen saying "the device does not contain ChromeOS"/"no valid image" you either chose the wrong shim for your Chromebook's board, did not go into developer mode, bad flash, bad file, or you have been keyrolled (and cannot continue)
10. When the shim boots, type D to select "Deprovision"
11. Next, type B to open a bash shell, this is where we'll unbrick
12. Type the following command:
gsctool -a -o
Press the power button whenever it spams "Press PP button now!" (this will take awhile) whenever it says "Another press will be required" it is telling you to wait, you may have to wait for a minute or even more time.
13. Once you're at the end of that process you should reboot and you'll be back at the "Welcome!" screen. (if you don't reboot/gsctool doesn't work, proceed to the bottom section, "errors while unbricking")
14. Get back into developer mode by pressing ESC + ↻ + ⏻, then CTRL + D, then enter.
15. Either press CTRL + D if you're on a "OS verification is OFF" white screen, or the enter key if you're on a "You are in developer mode" black screen. (keep this in mind if you want to stay in developer mode, you will have to do this each time you power it on)
16. You may get a "Your system is transitioning into Developer Mode" screen, wait for the 5-minute timer to finish, then follow step 15 again to boot into ChromeOS verified mode.
17. Start setting up your chromebook in OOBE (Out-of-Box Experience) by clicking Get Started, going through Wi-Fi, and continuing. Then prepare for the next step.
18. When it says Enterprise Enrollement immediately boot into recovery mode (ESC + ↻ + ⏻).
19. Boot the shim.
20. Run deprovise (D), then reboot (e), boot and you should be unenrolled!
join Copernicium on discord for help with anything (MAKE SURE TO READ EVERYTHING FIRST)
[REALLY HARD AND LUCK BASED] For users WITHOUT chrome://network#logs
1. Powerwash by signing out, pressing Ctrl+Alt+Shift+R, and following the instructions.
2. Proceed with the setup until you get to the "Getting device ready" screen.
3. Get a stopwatch ready and wait for the "Enterprise enrollment" screen.
3.5. Start your stopwatch and record how long it took for enrollment to finish
4. Take the time it took, take around 1-1.5 seconds off the time it took to enroll, proceed
5. Powerwash again by following step 1, go through the setup, and when you get to the "Enterprise enrollment" screen, start your stopwatch and wait for the time you got from step 4, perform an EC-Reset by ↻+⏻.
6. If chrome turns back on and you get one of the following screens, proceed, otherwise, keep trying (this may take ages but most people can get it in 2-20 tries)

if you click tab on either of these, under recovery reason it should say something about an error in the TPM (Trusted Platform Module).
7. Once bricked, get a shim (this guide will be using legacy, view arrow for more information)

To flash a shim you will need a secondary computer or a different way to connect a USB drive to a device (yes there are mobile methods if you have the correct connector)
1. Head to the link above (https://dl.darkn.bio/SH1mmer/Prebuilt/Legacy)
2. Download the shim corresponding to your board
Now here's the hard part, flashing
4. Use one of the following pieces of flashing software:
CRU Extension
Rufus
BalenaEtcher
(if your on Linux you can also use dd)

This guide will use the CRU Extension.
5. Open the CRU Extension and click the setting icon in the top right
6. Select the option containing "Local file"
7. Select your shim in the file manager
8. Select your USB drive
9. Wait for it to finish flashing, when it's done you can take it out and continue

If you don't know your board name and still went on with these steps, you can look it up by entering the board's model name at the bottom on a website like cros.tech
8. Press ESC + ↻ + ⏻ then click CTRL + D, then enter to enable developer mode (It doesn't matter if it is blocked), and then ESC + ↻ + ⏻ to enter recovery mode.
9. Plug in your shimmed USB drive
If you get a screen saying "the device does not contain ChromeOS"/"no valid image" you either chose the wrong shim for your Chromebook's board, did not go into developer mode, bad flash, bad file, or you have been keyrolled (and cannot continue)
10. When the shim boots, type D to select "Deprovision"
11. Next, type B to open a bash shell, this is where we'll unbrick
12. Type the following command:
gsctool -a -o
Press the power button whenever it spams "Press PP button now!" (this will take awhile) whenever it says "Another press will be required" it is telling you to wait, you may have to wait for a minute or even more time.
13. Once you're at the end of that process you should reboot and you'll be back at the "Welcome!" screen. (if you don't reboot/gsctool doesn't work, proceed to the bottom section, "errors while unbricking")
14. Get back into developer mode by pressing ESC + ↻ + ⏻, then CTRL + D, then enter.
15. Either press CTRL + D if you're on a "OS verification is OFF" white screen, or the enter key if you're on a "You are in developer mode" black screen. (keep this in mind if you want to stay in developer mode, you will have to do this each time you power it on)
16. You may get a "Your system is transitioning into Developer Mode" screen, wait for the 5-minute timer to finish, then follow step 15 again to boot into ChromeOS verified mode.
17. Start setting up your chromebook in OOBE (Out-of-Box Experience) by clicking Get Started, going through Wi-Fi, and continuing. Then prepare for the next step.
18. When it says Enterprise Enrollement immediately boot into recovery mode (ESC + ↻ + ⏻).
19. Boot the shim.
20. Run deprovise (D), then reboot (e), boot and you should be unenrolled!
join Copernicium on discord for help with anything (MAKE SURE TO READ EVERYTHING FIRST)

Finding the Reset Times

How to use this?

1. Powerwash the Chromebook by going into Recovery Mode ESC + ↻ + ⏻, clicking ctrl + d, waiting for reboot, then returning to secure (verified) mode (DON'T POWERWASH THE NORMAL WAY!!)
2. Go to chrome://network#logs
2. Under the options section check all of the boxes.
You can just select the bottom 2 options if you care.
3. Place the combined-logs.tar.gz file into the dropzone below.
If you experience an error, ask for help in Copernicium
4. The reset timing will appear below the dropzone


Drop your combined-logs_******-******.tar.gz file here
or


Please report bugs to Copernicium on Discord