-
Notifications
You must be signed in to change notification settings - Fork 91
/
index.html
233 lines (226 loc) · 10 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>SH1MMER.me</title>
<meta name="robots" content="nofollow">
<meta name="og:title" content="SH1MMER">
<meta name="og:description" content="SH1MMER Chromebook jailbreak">
<meta name="og:type" content="website">
<meta name="og:image" content="assets/icon.png">
<meta name="og:url" content="https://sh1mmer.me/">
<link rel="icon" href="assets/icon.png" />
<link rel="stylesheet" href="assets/main.css" />
<script src="assets/script.js" defer></script>
<script>
var messages = {
mercury:
"Check the credits button at the bottom of the page for more info.",
friday:
"A rather unlucky day for sysadmins, indeed.",
pc:
"Or if you can download the recovery utility extension on your school computer, but that's exceedingly rare.",
board:
"Press ESC+REFRESH+POWER to enter recovery mode, and look up your codename on https://cros.tech/. Click your device, and your board name will be shown. Note that GRABBITER is the same as FLEEX (which is octopus) but is not shown on most online databases.",
launch:
"Click the extensions icon in Chrome, then click Chromebook Recovery Utility.",
};
</script>
<base target="_blank" />
</head>
<body>
<div class="header">
<h1>SH1MMER</h1>
<p class="acronym">
Shady Hardware 1nstrument Makes Machine Enrollment Retreat
</p>
</div>
<div class="section blue">
<h3>What is SH1MMER?</h3>
<p>
SH1MMER is an exploit capable of completely unenrolling
enterprise-managed Chromebooks. It was found by
the <a href="https://mercurywork.shop">Mercury Workshop team</a> and
was released on January,
<u onclick="alert(messages.friday)">Friday the 13th</u>, 2023.
For more info, check out the <a href="https://coolelectronics.me/blog/breaking-cros-2">Writeup</a>
</p>
<br>
<h4>
If this isn't working for you, check <a href="#fog" target="_self">"The Fog"</a> section below.
</h4>
</div>
<div class="section green">
<h3>What you will need</h3>
<ul>
<li>A USB drive with at least 1 GB of storage</li>
<li>
<u onclick="alert(messages.pc)">A personal computer or Chromebook;</u> note that you
need admin perms on Windows/MacOS
</li>
</ul>
<hr />
<h3>Flashing a USB drive</h3>
<p>
First, you'll need to find your Chromebook's board name. This can
be done by going to <kbd>chrome://version</kbd> on your Chromebook and
copying the word after <kbd>stable-channel</kbd>, or with
<u onclick="alert(messages.board)">a variety of other methods</u>.
</p>
<p>
If your board name is in the list below, your board has a publicly leaked RMA shim. If it's not, you'll have to
source it
on your own... somehow.
</p>
ambassador, banon, brask, brya, clapper, coral, corsola, cyan, dedede, edgar, elm, enguarde, fizz,
glimmer, grunt, hana, hatch, jacuzzi, kalista, kefka, kukui, lulu, nami, nissa, octopus, orco, puff,
pyro, reef, reks, relm, sand, sentry, snappy, stout, strongbad, tidus, trogdor, ultima, volteer, zork
<p>
First you need to download a SH1MMER bin at
<a href="https://dl.sh1mmer.me">dl.sh1mmer.me</a>
(or any other source)
</p>
<p>
Then build an injected shim using your bin at the
<a href="builder.html" target="_self">SH1MMER Web Builder</a><br />
You can also use the desktop version of wax for linux/WSL, located in the
<a href="https://github.com/MercuryWorkshop/sh1mmer">GitHub</a> repository.<br />
Once you've obtained a INJECTED SHIM (NOT A RAW SHIM), you can continue.
</p>
<p>
Download the
<a href="https://chrome.google.com/webstore/detail/pocpnlppkickgojjlmhdmidojbmbodfm">
Chromebook Recovery Utility extension</a> on your personal computer as well.
</p>
<p>
Once the downloads are complete,
<u onclick="alert(messages.launch)">launch the recovery utility</u>
and plug your USB drive into your personal computer.
</p>
<i>IMPORTANT: Your USB drive will be completely erased and partitioned.</i>
<p>
In the recovery utility window, click the settings icon and press "Use
local image".
</p>
<img src="assets/recovery_utility.png" style="width: auto; height: 350px" alt="Chromebook Recovery Utility" />
<p>
Select your shim file, identify your USB drive, and start the writing process.
This can take anywhere between 30 seconds and 20 minutes, depending on the
speed of your USB drive.
</p>
<i>
You can also use tools such as Rufus, BalenaEtcher, etc, to flash
on Windows. If you're on Linux, <kbd>dd</kbd> is recommended.
</i>
<hr />
<h3>Executing on Chromebook</h3>
<p>
Once writing is complete, enter recovery mode on your Chromebook. This
is done by pressing the power button (⏻), reload key (↻), and ESC key at the
same time. Your screen should look one of the images below:
</p>
<img src="assets/recover_black.png" style="width: auto; height: 350px" alt="Recovery mode (groot UI)" />
<img src="assets/recover_white.png" style="width: auto; height: 350px" alt="Recovery mode (old UI)" />
<p>Press <kbd>CTRL + D</kbd> on this screen, then press enter.</p>
<p>
It will now say something about "returning to secure mode" or that "OS
verification is off". You will not actually be in developer mode,
but the exploit will work regardless. Your screen should look like one
of the images below:
</p>
<img src="assets/confirm_black.png" style="width: auto; height: 350px" alt="TONORM (groot UI)" />
<img src="assets/confirm_white.png" style="width: auto; height: 350px" alt="TONORM+FWMP (old UI)" />
<p>
On this screen, press the power button (⏻), reload key (↻), and ESC key at
the same time again! This is very important and cannot be skipped.
</p>
<p>
Once it re-shows the original recovery screen, plug your shimmed USB drive
into your Chromebook. After a brief black-and-white loading screen, you should
be in the SH1MMER menu.
</p>
<img src="assets/utils-select01.png" style="width: auto; height: 350px" alt="SH1MMER Beautiful World UI" />
<p>Play around with the UI, exit, and reboot.</p>
<hr />
<h3>What now?</h3>
<p>
You will now be able to, among other things, unenroll your Chromebook.
It will now behave entirely as if it is a personal computer and no
longer contain spyware or blocker extensions.
</p>
<p>
Note that while unenrolled, it is recommended to add your personal
account first, then add your school account, then switch between the two
as needed. Mercury Workshop does not condone the use of SH1MMER or
unenrolling to cheat in school.
</p>
<p>
The biggest challenges with unenrolling are connecting to the school
network and taking state or national exams (since there are no kiosk
apps anymore).
</p>
<p>
There are many methods to get a school Wi-Fi password while enrolled,
including
<a href="https://luphoria.com/netlog-policy-password-tool">the policy netlog trick</a>. While on a school
account
and unenrolled, you can bypass some network-level blocks
by using a secure DNS such as Cloudflare 1.1.1.1 from
<kbd>chrome://os-settings/osPrivacy</kbd>. It is also recommended to
enable "MAC Address Randomization" in <kbd>chrome://flags</kbd> to stay
hidden.
</p>
<img src="assets/secure_dns.png" alt="Secure DNS" />
<img src="assets/mac_randomization.png" alt="MAC Address Randomization" />
<p>
To take a kiosk exam, the safest option is to re-enroll temporarily.
Instructions for doing that are hosted
<a href="assets/kiosks.txt">at this TXT file</a>. Saving a copy of this file
for future reference is probably a smart move.
</p>
<p>
You can also use <a href="https://github.com/MercuryWorkshop/fakemurk">fakemurk</a>
as a way to enroll your device but stay in developer mode and have control
over policies and extensions. You may need to use this to get WiFi passwords
if <kbd>chrome://net-export</kbd> is blocked.
</p>
<hr />
<div id="fog">
<h3>The Fog...</h3>
<h4>(Google's response, and why this might not be working for you)</h4>
<p>
Downgrading and unenrollment has been patched* by google. If your chromebook has never updated to version 112
before (check in <kbd>chrome://version</kbd>), then you can ignore this and follow the normal instructions. If not,
unenrollment will not work as normal.
</p>
<p>
If you aren't willing to take apart your chromebook to unenroll, you can use an affiliated project,
<a href="https://fog.gay">E-HALCYON</a> to boot into a deprovisioned environment temporarily.
</p>
<p>
If you are willing to take apart your Chromebook to unenroll, then go to the guides
here: <a href="unpatch.html" target="_self" >Unpatch</a> and <a href="unfog.html" target="_self" >Unfog</a>
<br>
Also see Darkn's great blog post <a href="https://blog.darkn.bio/blog/the-tsunami">here</a> for the "pencil exploit".
</p>
</div>
</div>
<div class="section blue">
<h3>
<a href="faq.html" target="_self">FAQ</a>
<a href="credits.html" target="_self">Credits</a>
<a href="scam.html" target="_self">Scams</a>
</h3>
<p>
We have a
<a href="https://akkoma.mercurywork.shop">Fediverse server!</a> Join if
you're interested or want a chill instance.<br />
For actual support, there is (begrudgingly) a
<a href="https://discord.gg/bAgNyGpXSx">Discord Server</a> as well.<br />
For the source code of SH1MMER, go to the
<a href="https://github.com/MercuryWorkshop/sh1mmer">GitHub</a>.<br />
</p>
</div>
</body>
</html>