CryptoSmite Unenrollment Exploit
FWSmasher, unretained, fallenmoon8080, Catakang#0987

Website Blog GitHub Discord Source

The kernel version of your Chromebook must end with 0, 1, or 2 to perform this exploit.

An unenrollment exploit that uses stateful files to unenroll.

How it works

Uses stateful backups that allow changing the encrypted contents of the stateful partition to arbritary contents. This data is useful for enrollment status, so it was changed to make the device appear unenrolled. On the OOBE, it starts the AutoEnrollmentController, which chains into the ash ownership system, and then the ownership system checks for a file. If this file exists, it removes firmware management parameters (FWMP).

Performing the exploit

NOTICE: The authors are not responsible for any damage caused by the use of this exploit. Do not contact them for any issues it causes to your device.

    Instructions

    The instructions may contain minor inaccuracies such as unmatching cases.
  1. Enter into Recovery Mode by holding ESC + Refresh + Power for 2 or 3 seconds. You should be on an "Insert Recovery Media" or "Let's step you through the recovery process" screen.
  2. Check your kernel version for compatibility by pressing TAB and looking at the last digit of the kernver= line. If the last number of the kernver= line is a 0, 1, or 2, your Chromebook is supported and you can downgrade to ChromeOS version 119 or lower. Follow the instructions at the Downgrade Versions section.
    3. If the last number of the kernver= line is a 3, your Chromebook is not supported, and you cannot downgrade to ChromeOS version 119 or lower. Wait for a new unrenrollment exploit or do a dangerous hardware modification here.
  3. On a personal device, download stateful.tar.xz, and the CryptoSmite chroot. Keep all of these downloads ready before starting.
  4. Clone the CryptoSmite repository by executing the following command: git clone https://github.com/FWSmasher/CryptoSmite in a terminal.
  5. In the terminal, change the directory to the cloned directory that was created.
  6. Execute ./cryptosmite_host.sh + (raw rma shim path) + (cryptsetup chroot path) + (stateful.tar.xz path).
    7. Using the Recovery Utility
  7. Install the Chromebook Recovery Utility extension.
  8. Open the "Chromebook Recovery Utility" extension.
  9. In the extension popup, at the top right, select Use local image The image should be the modified RMA shim.
  10. Select the local recovery image.
  11. Insert the USB or SD card you want to flash.

    Important: Existing data will be erased from the USB or SD card when flashing with the recovery utility.

  12. Follow the prompts in the recovery utility.
    13. Attempt to Enable Developer Mode Important: You may want to back up important local data on your profile before doing this.
  13. On your Chromebook, press Esc + Refresh ↻, then press Power ⏻ to enter recovery mode.
  14. Turn off OS verification by attempting to enable Developer Mode by pressing Ctrl + D on the recovery mode screen after entering recovery mode.
  15. An OS verification confirmation message should appear.
  16. After a few seconds, a screen will show up indicating that OS verification is off and developer mode will be blocked by policy as shown in the top left corner of the screen.
  17. Press ESC + Refresh + Power Button again, and then plug in the USB drive you have just flashed.
  18. Press Esc + Refresh ↻, then press Power ⏻.

    The previous screen should appear with OS verification turned off.

  19. Insert the external memory device with CryptoSmite flashed.

    This should inject an RMA shim which boots the system into the CryptoSmite interface.

  20. Navigate to the Edit Stateful Bash screen.
  21. In the bash shell, execute tar -xvf /mnt/shim_stateful/stateful.tar.xz -C /mnt/stateful exit to reboot the system into verified mode.
  22. On the oobe screen, select the OK button.
  23. When the setup pane has appeared, enable Developer Mode.

    If the process gets stuck, it is recommended to make an issue on the GitHub repository.

    24. To enable developer mode, press ESC + Refresh + Power Button to enter recovery mode, and then press Ctrl + D to enable developer mode.

    From here, there are two ways to proceed. You could stick around for the five-minute wait by pressing Ctrl + D, or skip the developer mode transition.

    How to skip the 5 minute developer mode wait and transition
  24. Once you have reached the "developer mode is on" screen, press ESC + Refresh + Power and boot into an RMA shim.
  25. Select the bash shell, and run the following commands (or add it as a bash script): mkfs.ext4 /dev/mmcblk0p1 -F, mount -o loop,rw /dev/mmcblk0p1 /tmp, touch /tmp/.developer_mode, unmount /tmp && sync, Reboot.
  26. On "enrollment" branch shims, this script is already included within the new menu.

    27. After enabling developer mode using either of the two methods above, you need to boot into the operating system, and run these last two following commands in the VT2 shell (by pressing Ctrl + Alt + F2 and entering `root`, these commands will NOT run in a shim.)

    Quickly after you boot, run these commands: vpd -i RW_VPD -s check_enrollment=0, cryptohome --action=remove_firmware_management_parameters.

    If you do not get the timing right, powerwash the Chromebook and try again. If you got the timing and everything else correct, you are done! Just exit the VT2 bash shell by pressing Ctrl + Alt + F1 and then follow the on-screen instructions to add your personal and school account on the unenrolled device.