forked from MercuryWorkshop/sh1mmer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
251 lines (238 loc) · 10.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>SH1MMER.me</title>
<link rel="icon" href="/icon.png" />
<link rel="stylesheet" href="/main.css" />
<script src="/script.js" defer></script>
<script is:inline>
$(document).ready(function () {
$("#fogbutton").click(function () {
$("html, body").animate(
{
scrollTop: $("#fog").offset().top,
},
1000,
);
});
});
</script>
<script>
var messages = {
mercury:
"Check the credits button at the bottom of the page for more info.",
friday:
"A rather unlucky day for sysadmins, indeed. 🤡🤡🤡🤡",
pc:
"Or if you can download the recovery utility extension on your school computer, but that's exceedingly rare.",
board:
"It's somewhere in the firmware log/debug info on the recovery screen. It is also shown at the bottom of the Android Preferences app. You can also go to a connected WiFi network in settings, click the Learn More link next to the message about syncing, and your board name will be somewhere in the URL of the newly-opened help tab.",
launch:
"Click the extensions icon in Chrome, then click Chromebook Recovery Utility.",
};
</script>
<base target="_blank" />
</head>
<body>
<div class="header">
<h1>SH1MMER</h1>
<p class="acronym">
Shady Hacking 1nstrument Makes Machine Enrollment Retreat
</p>
</div>
<div class="section blue">
<h3>What is SH1MMER?</h3>
<p>
SH1MMER is an exploit capable of completely unenrolling
enterprise-managed Chromebooks. It was found by
the <a href="https://mercurywork.shop">Mercury Workshop team</a> and
was released on January,
<u onclick="alert(messages.friday)">Friday the 13th</u>, 2023.
For more info, check out the <a href="https://coolelectronics.me/blog/breaking-cros-2">Writeup</a>
</p>
<h4>
If this isn't working for you, check
<button id="fogbutton" style="cursor: pointer">"The Fog"</button>
section below.
</h4>
</div>
<div class="section green">
<h3>What you will need</h3>
<li>A USB with at least 8 GBs of storage</li>
<li>
<u onclick="alert(messages.pc)">A personal computer or chromebook;</u> note that you
need admin perms on Windows/MacOS
</li>
<hr />
<h3>Writing to USB</h3>
<p>
First, you'll need to find your managed Chromebook's board name. This can
be done by going to <kbd>chrome://version</kbd> on your Chromebook and
copying the word after <kbd>stable-channel</kbd>, or with
<u onclick="alert(messages.board)">a variety of other methods</u>.
</p>
<p>
If your board name is in the list below, your board has a publicly leaked RMA shim. If it's not, you'll have to
source it
on your own... somehow.
</p>
brask, brya, clapper, coral, corsola, dedede, enguarde, glimmer, grunt,
hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry,
stout, strongbad, tidus, ultima, volteer, zork
<p>
First you need to download a SH1MMER bin. Download a shim at <a
href="https://dl.sh1mmer.me/">dl.sh1mmer.me</a><br> , and build it with the <a
href="/builder" target="_self">SH1MMER web builder</a><br>
Once you've obtained a MODIFIED SHIM (NOT A RAW SHIM), you can continue.
</p>
<p>
Download the
<a href="https://chrome.google.com/webstore/detail/pocpnlppkickgojjlmhdmidojbmbodfm">
Chromebook Recovery Utility extension
</a>
<spc></spc>
on your personal computer as well.
</p>
<p>
Once the downloads are complete,
<u onclick="alert(messages.launch)">launch the recovery utility</u>
and plug your USB into your personal computer.
</p>
<i>Note: Your USB will be completely cleared and partitioned.</i>
<p>
In the recovery utility window, click the settings icon and press "Use
local image".
</p>
<img src="/assets/recovery_utility.png" />
<p>
Select your shim file, identify your USB, and start the writing process.
This will take about 10 minutes.
</p>
<hr />
<h3>Executing on Chromebook</h3>
<p>
Once writing is complete, enter recovery mode on your Chromebook. This
is done by pressing the power button (⏻), reload key (↻), and ESC key at the
same time. Your screen should look one of the images below:
</p>
<img src="/assets/recover_black.png" />
<img src="/assets/recover_white.png" />
<p>Press <kbd>CTRL + D</kbd> on this screen, then press enter.</p>
<p>
It will now say something about "returning to secure mode" or that "OS
verification is off". You will most likely not actually be in dev mode,
but the exploit will work regardless. Your screen should look like one
of the images below:
</p>
<img src="/assets/confirm_black.png" />
<img src="/assets/confirm_white.png" />
<p>
On this screen, press the power button (⏻), reload key (↻), and ESC key at
the same time again! This is very important and cannot be skipped.
</p>
<p>
Once it re-shows the original recovery screen, plug your shimmed USB
into your Chromebook, and press the power button (⏻), reload key (↻), and
ESC key again. After a brief black-and-white loading screen, you should
be in the SH1MMER menu.
</p>
<img src="/assets/utils-select01.png" />
<p>Play around with the UI, exit, and reboot.</p>
<hr />
<div id="fog">
<h3> The Fog...</h3>
<h4>(Google's response, and why this might not be working for you)</h4>
<p>
Downgrading and unenrollment has been patched by google. If your chromebook has never updated to version 112
before (check in <kbd>chrome://version</kbd>), then you can ignore this and follow the normal instructions. If not,
unenrollment will not work as normal.
If you aren't willing to take apart your chromebook to unenroll, you can use an affiliated project,
<a href="https://fog.gay">E-HALCYON</a> to boot into a deprovisioned environment temporarily
</p>
</div>
<hr />
<h3>How to use SH1MMER on v111 → v113 </h3>
<h4>(if you're willing to take the back cover off your Chromebook)</h4>
<p>you'll only need to do this once, and it will let you use SH1MMER even after it's been completely patched</p>
<pre>
1. Unplug everything, open the back panel, disconnect the battery to disable WP, plug in the charger
2. boot into SH1MMER and use "Un-Enroll / Deprovision" (yes I know it will show an error, but that doesn't
matter)
(you will also need to run "Disable block_devmode" if you're using the old legacy version)
3. go to the bash shell and run this command:
<kbd>/usr/share/vboot/bin/set_gbb_flags.sh 0x8090</kbd>
<i>do not use "Reset GBB Flags" after this</i>
4. exit SH1MMER, unplug everything, reconnect the battery, reconnect the charger
5. boot up, press <kbd>CTRL + D</kbd> to enter developer mode
6. once it completes, use <kbd>CTRL + ALT + SHIFT + R</kbd> to powerwash
7. after powerwash, immediately go into VT2 by pressing <kbd>CTRL + ALT + F2 (→)</kbd>, login as "root" and run these commands:
<kbd>tpm_manager_client take_ownership</kbd>
<kbd>cryptohome --action=remove_firmware_management_parameters</kbd>
<i>if it fails, try downgrading to v110 if possible. if you can't, use E-Halycon instead.</i>
8. press <kbd>CTRL + ALT + F1 (←)</kbd>, use <kbd>CTRL + ALT + SHIFT + R</kbd> to powerwash again
9. profit
NOTE: if you're on dedede, your WP method is probably different. look your model up online to find the WP
method.
</pre>
<hr />
<h3>What now?</h3>
<p>
You will now be able to, among other things, unenroll your Chromebook.
It will now behave entirely as if it is a personal computer and no
longer contain spyware or blocker extensions. After you do this and get
past the "determining device configuration" screen, you will be able to
actually turn dev mode on.
</p>
<p>
Note that while unenrolled, it is recommended to add your personal
account first, then add your school account, then switch between the two
as needed. Mercury Workshop does not condone the use of SH1MMER or
unenrolling to cheat in school.
</p>
<p>
The biggest challenges with unenrolling are connecting to the school
network and taking state or national exams (since there are no kiosk
apps anymore).
</p>
<p>
There are many methods to get a school Wi-Fi password while enrolled,
including
<a href="https://luphoria.com/netlog-policy-password-tool">the policy netlog trick</a>. While on a school
account
and unenrolled, you can bypass Wi-Fi blocks
by using a secure DNS such as Cloudflare 1.1.1.1 from
<kbd>chrome://os-settings/osPrivacy</kbd>. It is also recommended to
enable "MAC Address Randomization" in <kbd>chrome://flags</kbd> to stay
hidden.
</p>
<img src="/assets/secure_dns.png" />
<img src="/assets/mac_randomization.png" />
<p>
To take a kiosk exam, the safest option is to re-enroll temporarily.
Instructions for doing that are hosted
<a href="/kiosks.txt" target="_self">at this TXT file</a>. Saving a copy of this file
for future reference is probably a smart move.
</p>
</div>
<div class="section blue">
<h3>
<a href="/faq.html" target="_self">FAQ</a>
<a href="/scam.html" target="_self">Scams</a>
<a href="/credits.html" target="_self">Credits</a>
</h3>
<p> We have a
<a href="https://akkoma.mercurywork.shop">
Fediverse server!
</a>
<spc></spc>
Join if you're interested or want a chill instance.<br>
For actual support, there is (begrudgingly) a <a href="https://discord.gg/bAgNyGpXSx">
Discord
</a>
<spc></spc>as well.
</p>
</div>
</body>
</html>