E-Halcyon
Mercury Workshop

Website Blog GitHub Discord

You will need a Linux PC or a virtual machine in order to perform this exploit. WSL is not guaranteed to work. Developer mode and terminals must also not be blocked by policy in order to perform this exploit.

Defog Your Chromebook

E-Halcyon is a bypass for "The Fog", which is Google's mitigation for the unenrollment and downgrading of Chrome OS devices. This exploit allows you to downgrade and bypass enterprise enrollment on managed Chromebooks, even if it has received the update by Google that has patched downgrading versions and enrollment escape.

E-Halcyon was developed by Mercury Workshop, the same developers behind the SH1MMER exploit.

    Instructions

  1. First, you will need to boot into SH1MMER, and press the option that says "Un-Enroll". It won't truly unenroll you if you have received the version 112 update patching unenrollment and downgrading versions, but it is still a necessary step for the rest of this exploit. If you have never used SH1MMER before or do not have an image lying around, make sure to follow all of the instructions on sh1mmer.me for unenrollment before proceeding with the rest of the exploit tutorial here.
  2. Next, you need a version 107 recovery image corresponding to your Chromebook's board, which you can pick up from chrome100.dev. Once you have downloaded the correct recovery image for your Chromebook's board and have confirmed that it is for version 107, unzip it and save it to a safe place. Now, open up a terminal and type in the following commands below (make sure to replace /path/to/recovery/image.bin with the actual path.):

  3. git clone https://github.com/MercuryWorkshop/RecoMod
    cd RecoMod
    chmod +x recomod.sh
    sudo ./recomod.sh -i /path/to/recovery/image.bin --halcyon --rw_legacy

  4. The script and commands above will modify the image in place, and now the image can be flashed with a standard recovery tool onto a USB drive of your choice.
  5. Enable developer mode and get to the developer mode block screen similarly to how you would with SH1MMER, then plug in the USB drive. The recovery screen will show up, and at this point you will need to start spamming the 'E' key on your keyboard. It will begin a 5-minute wait sequence, and near the end of the 5 minutes start spamming the 'E' key on your keyboard again. You will only have to wait 5 minutes once, subsequent boots will already have the 5-minute wait omitted.
  6. The boot splash will show, and you will enter a special menu. Use the arrow keys to navigate the cursor down to "activate halcyon environment" and then press the enter key. Then, navigate down to "Install halcyon semi-tethered" and wait for it to finish installing. Once it has finished installing, go back to "activate halcyon environment" and press "Boot halcyon semi-tethered", and you will be successfully booted into a downgraded and unenrolled ChromeOS environment.

Exploit Credits

  • RecoMod, working switch_root, and everything else - CoolElectronics
  • Insight and contributions to the RecoMod script - OlyB
  • Created the original E-Halcyon website - vk6