As of September 16th, sh1mmer with the tsunami bypass has been confirmed working with ChromeOS r128. This exploit allows for unenrollment and the ability to switch into developer mode, plus other things.
FCPS Chromebooks come in two models - HP Fortis G10 and G11. You can check this on the underside of the chromebook, which will usually be under the FCPS barcode (this varies from school to school).
- Conductive Material: Staple, Tin Foil, etc. I highly recommend you to purchase a chip clip ($7 avg).
- Scissors
- Tape (Recommended, but optional)
- 1GB or larger USB flash drive or SD card
- Relatively small phillips screwdriver
- Prying tool: Credit card, flathead screwdriver, etc.
- Another computer
- A functioning brain
Once you have checked the model of your chromebook, you need to download a couple files for the exploit.
- Board:
nissa - [Pre-Injected RMA shim](insert download link here later)
- Chromebook Recovery Utility (ignore if using linux)
- Board:
dedede - [Pre-Injected RMA shim](insert download link here later)
- Chromebook Recovery Utility (ignore if using linux)
Once you've downloaded the shims, open the chromebook recovery utility. If you're using linux, skip to the bottom of this section. The utility will open in a new window. Press the settings gear in the top right, and click "Use Local Image", as indicated in the picture.
It will then prompt you to select a file. Navigate to wherever you downloaded your shim to, and double click it (the file should be called either dedede.bin or nissa.bin depending on your model's board).
After this, plug in your USB and select it from the list. Press Start in the utility. It should only take about a minute maximum, depending on your USB drive.
If you're on linux, use the command sudo dd if=name_of_shim.bin of=/dev/sdX making sure to replace sdX with the actual id of your USB drive and name_of_shim.bin with dedede.bin or nissa.bin
Once it finishes, you can close out of it. Next, you'll need to remove the case of the chromebook. Pop off the bottom and slide up the top part of the case, and pop off the bottom half, as indicated in the picture.
Once the case is off, unscrew the back cover as shown in the picture, and insert your pry tool into the spots marked with the blue arrows. Pry gently around the laptop.
The back cover breaks VERY easily!! Please be careful.
Next, find the battery connector on the chromebook and disconnect it. After this, you need to find the BIOS chip on the chromebook, which I have marked in the picture along with the battery connector which will usually be covered with black tape.
To do the exploit properly, pins 3 and 8 on the chip need to be bridged. If you're using a chip clip, you can skip to the bottom of this section. Place your conductive material on the pins and secure it firmly with the tape. I have outlined the path between the pins in red in this image.
If using a chip clip, clip it to the chip so the red wire matches the pin that has the indent next to it, then use a paperclip or safety pin to bridge the pins on the other side of the clip, like in this image. The pins that need to be bridged (when holding it notch side up) are pin 3 (2 to the right of the top left pin) and pin 8 (bottom left pin)
Next, hold ESC + Refresh + Power on your chromebook to boot it into recovery mode. It should look like this:
insert image later lolol
DO NOT INSERT YOUR USB DRIVE. Press CTRL + D on this screen, and hit confirm to turn on developer mode. Right after this, hold ESC + Refresh + Power again. Now, plug in your USB. It will boot into the sh1mmer menu. This will take about 30 seconds. Go to Utilities > Un-enroll device. This should error, but it's required for the exploit. Next, go to Utilities > Bash Shell (navigate with arrow keys). Your screen should look something like this:
insert image later lololol
Make sure the pins are bridged on the chip at this point, or push down hard on the paperclip/safety pin if using a chip clip. Run these commands in the shell:
flashrom --wp-disable
/usr/share/vboot/set_gbb_flags.sh 0x8090If the commands exit with success, conrgatulations! If they error, the pins are not bridged correctly and you need to try again.
Reboot the chromebook and select "Boot from internal disk".
Your device will transition to developer mode for 5 minutes, then reboot.
DO NOT CONTINUE WITH THE SETUP, AND DO NOT CONNECT TO WIFI!
Switch to VT2 with CTRL + ALT + Refresh immediately.
Login as root and run these commands:
tpm_manager_client take_ownership
cryptohome --action=remove_firmware_management_parametersThe last command will error because my chromebook died lolol dw i'll finish this writeup once I get my charger back