CryptoSmite
FWSmasher [MunyDev, Darkn, kxtzownsu (Katelyn), BinBashBanana], unretained, fallenmoon8080, Catakang#0987

Website Blog GitHub Discord Source

The kernver value of your Chromebook must end with 0, 1, or 2 to perform this exploit.

How it Works

Uses stateful backups that allow changing the encrypted contents of the stateful partition to arbritary contents. This data is useful for enrollment status, so it was changed to make the device appear unenrolled. On the OOBE, it starts the AutoEnrollmentController, which chains into the ash ownership system, and then the ownership system checks for a file. If this file exists, it removes firmware management parameters (FWMP).

Performing the Exploit

    Instructions

    Instructions may contain minor inaccuracies such as unmatching cases.
  1. Enter recovery mode.
  2. On a personal device, download stateful.tar.xz.
  3. Download CryptoSmite chroot.
  4. Clone the CryptoSmite repository by executing git clone https://github.com/FWSmasher/CryptoSmite in a terminal.
  5. In the terminal, change the directory to the cloned directory that was created.
  6. Execute ./cryptosmite_host.sh + (raw rma shim path) + (cryptsetup chroot path) + (stateful.tar.xz path).
    7. Using the Recovery Utility
  7. Install the Chromebook Recovery Utility extension.
  8. Open the "Chromebook Recovery Utility" extension.
  9. In the extension popup, at the top right, select Use local image.
  10. Select the local recovery image.
  11. Insert the USB or SD card you want to flash.

    Important: Existing data will be erased from the USB or SD card when flashing with the utility.

  12. Follow the prompts in the utility.
  13. On your Chromebook, press Esc + Refresh ↻, then press Power ⏻.
  14. Turn off OS verification by attempting to enable Developer Mode.
    15. Attempt to Enable Developer Mode Important: You may want to back up important local data on your profile before doing this.
  15. Press Ctrl + D.

    An OS verification confirmation message should appear.

  16. Press Enter.

    After a few seconds, a screen should appear indicating that OS verification is off and Developer Mode is blocked. [Image]

  17. Press Esc + Refresh ↻, then press Power ⏻.

    The previous screen should appear with OS verification turned off.

  18. Insert the external memory device with CryptoSmite flashed.

    This should inject an RMA shim which boots the system into the CryptoSmite interface.

  19. Navigate to the Edit Stateful Bash screen.
  20. In the bash shell, execute tar -xvf /mnt/shim_stateful/stateful.tar.xz -C /mnt/stateful exit to reboot the system into verified mode.
  21. On the oobe screen, select the OK button.
  22. When the setup pane has appeared, enable Developer Mode.

    If the process gets stuck, it is recommended to make an issue on GitHub.

    23. Unfinished :0