SH1mmer Unenrollment
Prerequisites
- A USB drive, 8gb or larger, for the modified shim
Please note that SH1mmer has been patched for later devices, even if they have leaked shims. If the shim does not boot on your target device, you may need to use BadRecovery instead.
Section I - Download a Raw Shim
You need to download a raw RMA (Return Merchandise Authorization) shim for your board, which you found earlier. There are only a few of these that have been publicly leaked, and this tool automatically filters out boards that are not supported. You can get a shim at the following sites:
- https://dl.darkn.bio/
- https://chrome100.dev (sometimes)
Section II - Add the SH1mmer payload (BeautifulWorld)
Visit the SH1mmer Web Builder and upload your raw shim. Wait a couple of minutes for it to build, then download the result.
Section III - Flash the Shim
Got your built shim? Great! Now, there are some differing instructions depending on your platform.
On *nix
On a ChromeOS device in developer mode, you can also use the following instructions to flash the drive. Otherwise, you can download the Chromebook Recovery Utility from the Chrome Webstore and use that to flash the drive. Just click on the top right button in the window and select "Use Local File", then select your .bin file. This probably won't work on an enrolled device, but if the extension is unblocked, you can do it entirely on that Chromebook.
Good choice of operating system, by the way. Most distros will come with the dd utility built-in. If yours doesn't, then choose a different distro or find a way to flash the recovery image. Run the following command, making sure that you have the correct /dev path to your USB drive and the correct path to your recovery image:
dd if=/path/to/sh1mmer.bin of=/dev/sdX
In a few minutes, you should be done, and the command should exit with a 0 exit code.
On Windows
Download Rufus and run the executable. Select the .bin file you just downloaded and select your USB drive. Click on flash and follow the prompts. If asked, select "Flash in DD mode".
On MacOS
Download Etcher and run the excutable. Select the .bin file and your USB drive. Click on flash and follow the prompts.
Section IV - Boot SH1mmer
Boot your Chromebook and press and hold Esc+Refresh+Power for one second. Then, press Ctrl+D. At the next screen, press Refresh+Power. Now, plug in your USB drive and press Esc+Refresh+Power again. After a short loading screen, the SH1mmer menu should load.
Section V - Unenroll
Select the first option on the menu and you will be presented with a menu with a variety of payloads and utilities. What we're after is "Un-Enroll Device". Select it and reboot your device (Esc+Refresh).
If you're continuing to use E-Halcyon, ignore any errors that appear running the utility.
If you were on a version >111 and disabled WP, you will need to run some commands before anything will work. Otherwise, just skip past these pargraphs and unenroll normally. Open a bash shell (Utilities > Bash Shell) and run the following commands:
/usr/share/vboot/bin/set_gbb_flags.sh 0x8090
Reboot, and boot into developer mode (Ctrl+D). Immediately, powerwash the device (Ctrl+Alt+Shift+R). After powerwashing, immediately switch into VT2 (Virtual Terminal 2) the second the device begins to boot (Ctrl+Alt+Forward). If asked for a username, type root and press enter, and if asked for a password, type test0000. Now run the following commands, as shown by this masterpiece of a meme:
tpm_manager_client take_ownership
cryptohome --action=remove_firmware_management_parameters
Finally, switch back to OOBE (Ctrl+Alt+Back) and powerwash (again). After powerwashing, you should be completely unenrolled and be able to use your device without any restrictions.
Your administrator wil be able to see that your device is "offline", and you should spend as little time as possible in this state if you are not authorized to be following this tutorial.
Section VI - Next Steps
If you're using E-Halcyon, continue to Booting E-Halcyon
If you want to re-enroll but keep your Chromebook unrestricted, continue to fakemurk
...or you could just keep your device like this, and use it as a personal device. The choice is yours.