BadRecovery/OlyBmmer

Prerequisites

A USB drive, preferably 8gb or larger, for the patched recovery image.

Section I - Downloading a Recovery Image

First, you need a recovery image lower than v125 for your board.

https://chrome100.dev

Section II - Patch the Recovery image

Vist the BadRecovery Web Bulider and upload the unpatched (colloquially: "raw") recovery image. Select Auto and wait for the process to complete. The patched image should download automatically.

Section III - Flashing the Image

Now, we need to flash the recovery image to a USB drive. Follow the below steps for your platform:

On *nix

On a ChromeOS device in developer mode, you can also use the following instructions to flash the drive. Otherwise, you can download the Chromebook Recovery Utility from the Chrome Webstore and use that to flash the drive. Just click on the top right button in the window and select "Use Local File", then select your .bin file. This probably won't work on an enrolled device, but if the extension is unblocked, you can do it entirely on that Chromebook.

Good choice of operating system, by the way. Most distros will come with the dd utility built-in. If yours doesn't, then choose a different distro or find a way to flash the recovery image. Run the following command, making sure that you have the correct /dev path to your USB drive and the correct path to your recovery image:

dd if=/path/to/recovery-image.bin of=/dev/sdX status=progress

In a few minutes, you should be done, and the command should exit with a 0 exit code.

On Windows

Download Rufus and run the executable. Select the .bin file you just downloaded and select your USB drive. Click on flash and follow the prompts. If asked, select "Flash in DD mode".

On MacOS

Download Etcher and run the excutable. Select the .bin file and your USB drive. Click on flash and follow the prompts.

Section IV - Booting BadRecovery

Unlike SH1mmer, do not enter devmode unless you have a ancient board (pre-CR50).

Instead simply enter recovery normally (Esc+Refresh+Power) and plug in your drive. The recovery process should start, and after a while you should get kicked to a BadRecovery screen. Let it remove FWMP and enable dev mode. If it shows a error about tpmc failing to remove FWMP, your Chromebook is incompatible with the exploit. (This issue is not neccesarily common anymore since the latest version patched this.)

Now, perform an EC reset (Refresh+Power).

Please note that your admin can see that your device is offline. If you are not allowed to do this, make sure to fakemurk your device by continuing this guide.

Section VI - Postmodem

If you want to be able to use school WiFi and be able to use your schools kiosk apps, continue to fakemurk

If you want to run things like linux on your chromebook, consult the chrultrabook wiki.

...or you can just use it like a normal chromebook and run things like Crostini. The choices are endless.

Prerequisites​

Section I - Downloading a Recovery Image​

Section II - Patch the Recovery image​

Section III - Flashing the Image​

On *nix​

On Windows​

On MacOS​

Section IV - Booting BadRecovery​

Section VI - Postmodem​