SH1MMER Unenrollment Exploit
Mercury Workshop

Website Blog GitHub

Shady Hardware 1nstrument Makes Machine Enrollment Retreat

SH1MMER is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by the Mercury Workshop team and was released on January, Friday the 13th, 2023. For more information about this exploit, check out the Writeup by CoolElectronics.

Important Note: Shim downloading has been taken down by Google because of legal reasons. Use this rehosted link to get a shim for your Chromebook's board.

If this isn't working for you, check "The Fog" section below.

Exploit Requirements

  • A USB drive or SD card; with at least 8 GB of storage that is required for booting into SH1MMER
  • A personal computer or Chromebook; note that you do need administrator permissions on Windows/MacOS

    • Flashing a USB drive

      Instructions

    1. First, you'll need to find your managed Chromebook's board name. This can be done by going to chrome://version on your Chromebook and copying the word after stable-channel, or with a variety of other methods.
    2. If your board name is in the list below, your board has a publicly leaked RMA shim, duh. If it's not, you'll have to source it on your own... somehow.

      ambassador, banon, brask, brya, clapper, coral, corsola, cyan, dedede, edgar, elm, enguarde, fizz, glimmer, grunt, hana, hatch, jacuzzi, kalista, kefka, kukui, lulu, nami, nissa, octopus, orco, puff, pyro, reef, reks, relm, sand, sentry, stout, strongbad, tidus, trogdor, ultima, volteer, zork

    3. First, you need to download a SH1MMER bin. Download a shim at dl.sasquatch9228.dev (or any other source), and build it with the SH1MMER Web Builder.
    4. You can also use the desktop version of wax for linux/WSL, located in the GitHub repository.
    5. Once you've obtained a MODIFIED/INJECTED SHIM (NOT A RAW SHIM), you can continue.
    6. Download the Chromebook Recovery Utility extension on your personal computer as well.
    7. Once the downloads are complete, launch the recovery utility by clicking the extensions icon in Chrome, then click the Chromebook Recovery Utility, and plug your USB drive into your personal computer.
    8. IMPORTANT NOTE: Your USB drive will be completely cleared and partitioned.
    9. In the recovery utility window, click the settings icon (⚙) and press "Use local image".
      10. Chromebook Recovery Utility
    10. Select your shim file, identify your USB drive, and start the writing process. This can take anywhere between 30 seconds and 20 minutes, depending on the speed of your USB drive.
    11. You can also use tools such as Rufus, BalenaEtcher, etc, to flash on Windows. If you are on Linux, dd is recommended.

    Executing on Chromebook

    1. Once writing is complete, enter recovery mode on your Chromebook. This is done by pressing the power button (⏻), reload key (↻), and escape key at the same time. Your screen should look one of the images below:
      2. Recovery mode (groot UI) Recovery mode (old UI)
    2. Press Ctrl+D on this screen, then press enter.
    3. It will now say something about "confirm returning to secure mode" or that "OS verification is off". You will most likely not actually be in developer mode, but the exploit will work regardless. Your screen should now look like one of the images below:
      4. TONORM (groot UI) TONORM+FWMP (old UI)
    4. On this screen, press the power button (⏻), reload key (↻), and ESC key at the same time again! This is very important and cannot be skipped.
    5. Once it re-shows the original recovery screen, plug your shimmed USB into your Chromebook, and press the power button (⏻), reload key (↻), and ESC key again. After a brief black-and-white loading screen, you should be in the SH1MMER menu.
      6. SH1MMER Beautiful World UI
    6. Play around with the UI, exit, and reboot.

      The Fog

      (Google's response, and why this might not be working for you)

      Downgrading and unenrollment has been patched by Google. If your Chromebook has never updated to version 112 before (check in chrome://version), you can ignore this and follow the regular instructions. If not, unenrollment will not work as normal. If you aren't willing to take apart your Chromebook's hardware to unenroll, you can use an affiliated project, E-HALCYON to boot into a deprovisioned environment temporarily.

    How to use the SH1MMER exploit on version 111 → version 113

    (if you're willing to take the back cover off your Chromebook)

    You only need to do this once, and it will let you use the SH1MMER exploit even after it's been completely patched.

    1. Unplug everything, open the back panel, disconnect the battery to disable Write Protection, plug in the charger.
    2. Boot into SH1MMER and use "Un-Enroll / Deprovision" (yes it will show an error, but that doesn't matter)

      (you will also need to run "Disable block_devmode" if you're using the old legacy version).

    3. Go to the bash shell and run this command: /usr/share/vboot/bin/set_gbb_flags.sh 0x8090. Do not use "Reset GBB Flags" after this.
    4. Exit SH1MMER, unplug everything, reconnect the battery, and reconnect the charger.
    5. Boot up and press Ctrl+D to enter developer mode.
    6. When completed, use Ctrl+ALT+SHIFT+R to powerwash the Chromebook.
    7. After powerwashing, immediately enter VT2 with Ctrl+Alt+F2 (→), login as "root" and run these commands:

      tpm_manager_client take_ownership
      cryptohome --action=remove_firmware_management_parameters

      If it fails, try downgrading to version 110 if possible. If you cannot do so, use E-Halcyon instead.
    8. Press Ctrl+Alt+F1 (←), and use Ctrl+Alt+Shift+R to powerwash the Chromebook again.
    NOTE: If you have a dedede board, your Write Protection method is probably different. Look your model up online to find the WP method.

    What now?

    You will now be able to, among other things, unenroll your Chromebook. It will now behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions. After you do this and get past the "determining device configuration" screen, you will be able to actually turn developer mode on.

    Note that while unenrolled, it is recommended to add your personal account first, then add your school account, then switch between the two accounts as needed. Mercury Workshop does not condone the use of SH1MMER or unenrolling to cheat or plagiarize in school.

    The biggest challenges with unenrolling are connecting to the school network and taking state or national exams (since there are no kiosk applications anymore).

    There are many methods to get a school Wi-Fi password while enrolled, including the policy netlog trick found by Luphoria. While on a school account and unenrolled, you can bypass Wi-Fi blocks by using a secure DNS such as Cloudflare 1.1.1.1 from chrome://os-settings/osPrivacy. It is also recommended to enable "MAC Address Randomization" in chrome://flags to stay hidden.

    Secure DNS MAC Address Randomization

    To take a kiosk exam, the safest option is to re-enroll temporarily. Instructions for doing that are hosted here: Kiosk Instructions, or alternatively, the original text file (for local copies): Kiosks.txt Saving a copy of this text file for future reference is probably a smart move to do.

    You can also use fakemurk as a way to enroll your device but stay in developer mode and have control over policies and extensions. You may need to use this to get Wi-Fi passwords if chrome://net-export is blocked.