forked from MercuryWorkshop/sh1mmer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
182 lines (178 loc) · 7.13 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>SH1MMER.me</title>
<link rel="icon" href="/icon.png" />
<link rel="stylesheet" href="/main.css" />
<script src="/script.js" defer></script>
<script>
var messages = {
mercury:
"Check the credits button at the bottom of the page for more info.",
friday:
"A rather unlucky day for sysadmins, indeed. 🤡🤡🤡🤡",
pc: "Or if you can download the recovery utility extension on your school computer, but that's exceedingly rare.",
board:
"It's somewhere in the firmware log/debug info on the recovery screen. It is also shown at the bottom of the Android Preferences app. You can also go to a connected WiFi network in settings, click the Learn More link next to the message about syncing, and your board name will be somewhere in the URL of the newly-opened help tab.",
launch:
"Click the extensions icon in Chrome, then click Chromebook Recovery Utility.",
};
</script>
<base target="_blank" />
</head>
<body>
<div class="header">
<h1>SH1MMER</h1>
<p class="acronym">
Shady Hacking 1nstrument Makes Machine Enrollment Retreat
</p>
</div>
<div class="section blue">
<h3>What is SH1MMER?</h3>
<p>
SH1MMER is an exploit capable of completely unenrolling
enterprise-managed Chromebooks. It was found by
the <a href="https://mercurywork.shop">Mercury Workshop team</a> and
was released on January,
<u onclick="alert(messages.friday)">Friday the 13th</u>, 2023.
For more info, check out the <a href="https://coolelectronics.me/blog/breaking-cros-2">Writeup</a>
</p>
</div>
<div class="section green">
<h3>What you will need</h3>
<li>A USB with at least 8 GBs of storage</li>
<li>
<u onclick="alert(messages.pc)">A personal computer or chromebook;</u> note that you
need admin perms on Windows/MacOS
</li>
<hr />
<h3>Writing to USB</h3>
<p>
First, you'll need to find your managed Chromebook's board name. This can
be done by going to <kbd>chrome://version</kbd> on your Chromebook and
copying the word after "stable-channel", or with
<u onclick="alert(messages.board)">a variety of other methods</u>.
</p>
<p>
If your board name is in the list below, your board has a publicly leaked RMA shim. If it's not, you'll have to
source it
on your own... somehow.
</p>
brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana,
hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout,
strongbad, tidus, ultima, volteer, zork
<p>
First you need to download a sh1mmer bin. Download a shim at <a
href="https://files.ultimatesrv.com/">files.ultimatesrv.com</a><br> , and build it with the <a
href="builder.html">sh1mmer web builder</a><br>
Once you've obtained a MODIFIED SHIM (NOT A RAW SHIM), you can continue.
</p>
<p>
Download the
<a href="https://chrome.google.com/webstore/detail/pocpnlppkickgojjlmhdmidojbmbodfm">
Chromebook Recovery Utility extension
</a>
<spc></spc>
on your personal computer as well.
</p>
<p>
Once the downloads are complete,
<u onclick="alert(messages.launch)">launch the recovery utility</u>
and plug your USB into your personal computer. Note that your USB will
be completely cleared and partitioned.
</p>
<p>
In the recovery utility window, click the settings icon and press "use
local image".
</p>
<img src="/assets/recovery_utility.png" />
<p>
Select your shim file, identify your USB, and start the writing process.
This will take about 10 minutes.
</p>
<hr />
<h3>Executing on Chromebook</h3>
<p>
Once writing is complete, enter recovery mode on your Chromebook. This
is done by pressing the power button, reload key (↻), and esc key at the
same time. Your screen should look one of the images below:
</p>
<img src="/assets/recover_black.png" />
<img src="/assets/recover_white.png" />
<p>Press <kbd>ctrl+d</kbd> on this screen, then press enter.</p>
<p>
It will now say something about "returning to secure mode" or that "OS
verification is off". You will most likely not actually be in dev mode,
but the exploit will work regardless. Your screen should look like one
of the images below:
</p>
<img src="/assets/confirm_black.png" />
<img src="/assets/confirm_white.png" />
<p>
On this screen, press the power button, reload key (↻), and esc key at
the same time again! This is very important and cannot be skipped.
</p>
<p>
Once it re-shows the original recovery screen, plug your shimmed USB
into your Chromebook, and press the power button, reload key (↻), and
esc key again. After a brief black-and-white loading screen, you should
be in the SH1MMER menu.
</p>
<img src="/assets/utils-select01.png" />
<p>Play around with the UI, exit, and reboot.</p>
<hr />
<h3>What now?</h3>
<p>
You will now be able to, among other things, unenroll your Chromebook.
It will now behave entirely as if it is a personal computer and no
longer contain spyware or blocker extensions. After you do this and get
past the "determining device configuration" screen, you will be able to
actually turn dev mode on.
</p>
<p>
Note that while unenrolled, it is recommended to add your personal
account first, then add your school account, then switch between the two
as needed. Mercury Workshop does not condone the use of SH1MMER or
unenrolling to cheat in school.
</p>
<p>
The biggest challenges with unenrolling are connecting to the school
network and taking state or national exams (since there are no kiosk
apps anymore).
</p>
<p>
There are many methods to get a school Wi-Fi password while enrolled,
including
<a href="https://luphoria.com/netlog-policy-password-tool">the policy netlog trick</a>. While on a school account
and unenrolled, you can bypass Wi-Fi blocks
by using a secure DNS such as Cloudflare 1.1.1.1 from
<kbd>chrome://os-settings/osPrivacy</kbd>. It is also recommended to
enable "MAC Address Randomization" in <kbd>chrome://flags</kbd> to stay
hidden.
</p>
<img src="/assets/secure_dns.png" />
<img src="/assets/mac_randomization.png" />
<p>
To take a kiosk exam, the safest option is to re-enroll temporarily.
Instructions for doing that are hosted
<a href="/kiosks.txt">at this TXT file</a>. Saving a copy of this file
for future reference is probably a smart move.
</p>
</div>
<div class="section blue">
<h3>
<a href="/faq.html" target="_self">FAQ</a>
<a href="/credits.html" target="_self">Credits</a>
</h3>
<p> We now have a
<a href="https://akkoma.mercurywork.shop">
Fediverse server!
</a>
<spc></spc>
Join if you're interested.
</p>
</div>
</body>
</html>