Skip to main content

Br1ck

An exploit found by byte, join copernicium for more info/help.

Prerequisites

  • A chromebook with a Cr50 chip on the latest version
  • Luck
  • Access to chrome://network#logs (optional, but recommended)
  • A USB drive
  • SuzyQ cable (if you are on dedede, but not all need one.)
  • Stopwatch

Section I - Downloading Shim

First, you need a RMA shim for your board.

Section II - Flashing shim

Now, we need to flash the recovery image to a USB drive. Follow the below steps for your platform:

On *nix

On a ChromeOS device in developer mode, you can also use the following instructions to flash the drive. Otherwise, you can download the Chromebook Recovery Utility from the Chrome Webstore and use that to flash the drive. Just click on the top right button in the window and select "Use Local File", then select your .bin file. This probably won't work on an enrolled device, but if the extension is unblocked, you can do it entirely on that Chromebook.

Good choice of operating system, by the way. Most distros will come with the dd utility built-in. If yours doesn't, then choose a different distro or find a way to flash the recovery image. Run the following command, making sure that you have the correct /dev path to your USB drive and the correct path to your recovery image:

dd if=/path/to/shim.bin of=/dev/sdX status=progress

In a few minutes, you should be done, and the command should exit with a 0 exit code.

On Windows

Download Rufus and run the executable. Select the .bin file you just downloaded and select your USB drive. Click on flash and follow the prompts. If asked, select "Flash in DD mode".

On MacOS

Download Etcher and run the excutable. Select the .bin file and your USB drive. Click on flash and follow the prompts.

Section III - Checking if you have access to chrome://network#logs

This process is pretty simple. Just visit chrome://network#logs

If it is unblocked, continue to Section IV:A.

If it is blocked, continue to Section IV:B.

Section IV:A - Access to chrome://network#logs

note

For step 9, Don't worry if Developer Mode is blocked

For step 13, if it tells you "Another press is required", just wait.

  1. Visit the Br1ck timer and follow the instructions.

  2. Memorize the time.

  3. Powerwash your chromebook by entering recovery mode (Esc+Refresh+Power)

  4. Proceed through the setup until the "Getting device ready" section.

  5. Wait for the next "Enterprise Enrollment" screen.

  6. When "Enterprise Enrollment" pops up, start the stopwatch.

  7. When your stopwatch is in the time range, perform an EC reset (Refresh+Power)

  8. If your Chromebook turns on again and you get a "Something went wrong" screen, you can continue. Otherwise, redo the steps.

  9. Once bricked, press Ctrl+D and Enter to enable developer mode and enter recovery mode again (Esc+Refresh+Power)

  10. Plug in your USB.

  11. When your shim boots, press D to select "Deprovision"

  12. Press B to open a bash shell and type this command:

gsctool -a -o

  1. Press the power button when it spams "Press PP button now!"

  2. Once you finished, you should be back at the "Welcome" screen.

  3. Go back into developer mode. (Esc+Refresh+Power -> Ctrl+D -> Enter).

  4. Once in developer mode, press Ctrl+D.

  5. Go through the process again.

  6. When on "Enterprise Enrollment" screen, boot into recovery mode (Esc=Refresh+Power)

  7. Boot the shim once again.

  8. Run deprovise (B) and reboot (E).

  9. Once booted, your device should be unenrolled.

Please note that your admin can see that your device is offline. If you are not allowed to do this, make sure to fakemurk your device by continuing this guide.

Section IV:B - No access to chrome://network#logs

note

For step 9, Don't worry if Developer Mode is blocked

For step 13, if it tells you "Another press is required", just wait.

  1. Powerwash your chromebook by entering recovery mode (Esc+Refresh+Power)

  2. Proceed through the setup until the "Getting device ready" section.

  3. Wait for the next "Enterprise Enrollment" screen.

  4. When "Enterprise Enrollment" pops up, start the stopwatch.

  5. When your Chromebook enrolls itself, stop the stopwatch and remove 1-1.5 seconds off the time it took to enroll.

  6. Follow step 1, and go through the setup.

  7. When on the "Enterprise Enrollment" screen again, start your stopwatch and wait for the time you got on step 4.

  8. EC-Reset (Refresh+Power)

  9. If your Chromebook turns on again and you get a "Something went wrong" screen, you can continue. Otherwise, redo the steps.

  10. Once bricked, press Ctrl+D and Enter to enable developer mode and enter recovery mode again (Esc+Refresh+Power)

  11. Plug in your USB.

  12. When your shim boots, press D to select "Deprovision"

  13. Press B to open a bash shell and type this command:

gsctool -a -o

  1. Press the power button when it spams "Press PP button now!"

  2. Once you finished, you should be back at the "Welcome" screen.

  3. Go back into developer mode. (Esc+Refresh+Power -> Ctrl+D -> Enter).

  4. Once in developer mode, press Ctrl+D.

  5. Go through the process again.

  6. When on "Enterprise Enrollment" screen, boot into recovery mode (Esc=Refresh+Power)

  7. Boot the shim once again.

  8. Run deprovise (B) and reboot (E).

  9. Once booted, your device should be unenrolled.

Please note that your admin can see that your device is offline. If you are not allowed to do this, make sure to fakemurk your device by continuing this guide.

Section V - Postmodem

If you want to be able to use school WiFi and be able to use your schools kiosk apps, continue to fakemurk

If you want to run things like linux on your chromebook, consult the chrultrabook wiki.

...or you can just use it like a normal chromebook and run things like Crostini. The choices are endless.