SH1MMER
Mercury Workshop

Website Blog GitHub

Shady Hacking 1nstrument Makes Machine Enrollment Retreat

SH1MMER is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was discovered by the Mercury Workshop team and was released on January, Friday the 13th, 2023. For more info, check out the Writeup

Important: Shim downloading has been taken down by Google. Use this rehosted link to get a shim for your board.

Requirements

  • USB with at least 8GB of storage
  • Personal computer or laptop; admin permissions are necessary on Windows, MacOS, Linux, *BSD, and most UNIX based operating systems.

    • Writing to USB

      Instructions

    1. First, you'll need to find your managed Chromebook's board name. This can be done by going to chrome://version on your Chromebook and copying the word after stable-channel, or with a variety of other methods.
    2. If your board name is in the list below, your board has a publicly leaked RMA shim. If it's not, you'll have to source it on your own.

      brask, brya, clapper, coral, corsola, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork

    3. First you need to download a SH1MMER bin. Download a shim at dl.sh1mmer.me, and build it with the SH1MMER web builder.
    4. Once you've obtained a MODIFIED SHIM (NOT A RAW SHIM), you can continue.
    5. Download the Chromebook Recovery Utility extension on your personal computer as well.
    6. Once the downloads are complete, launch the recovery utility and plug your USB into your personal computer.
    7. Note: Your USB will be completely cleared and partitioned.
    8. In the recovery utility window, click the settings icon and press "Use local image".
    9. Select your shim file, identify your USB, and start the writing process. This will take about 10 minutes.

    Booting

      Instructions

    1. Press Esc + Refresh ↻, then press Power ⏻.
    2. Press Ctrl + D.

      An OS verification confirmation message should appear.

    3. Press Esc + Refresh ↻, then press Power ⏻.

      The original recovery screen should appear.

    4. Insert the external drive with the modified recovery shim flashed into your Chromebook.
    5. Press Esc + Refresh ↻, then press Power ⏻.

      The SH1MMER menu should load shortly.

      The Fog

      (Google's response, and why this may fail)

      Downgrading and unenrollment has been patched. If your Chromebook has never updated to version 112 before (check in chrome://version), you can ignore this and follow the regular instructions. If not, unenrollment will not work as normal. If you aren't willing to take apart your Chromebook to unenroll, you can use an affiliated project, E-HALCYON to boot into a deprovisioned environment temporarily

    How to use SH1MMER on v111 → v113

    (if you're willing to take the back cover off your Chromebook)

    You only need to do this once, and it will let you use SH1MMER even after it's been completely patched.

      Instructions

    1. Unplug everything, open the back panel, disconnect the battery to disable WP, plug in the charger
    2. Boot into SH1MMER and use "Un-Enroll / Deprovision" (yes it will show an error, but that doesn't matter)

      (you will also need to run "Disable block_devmode" if you're using the old legacy version)

    3. Go to the bash shell and run this command:

      /usr/share/vboot/bin/set_gbb_flags.sh 0x8090

      Do not use "Reset GBB Flags" after this.

    4. Exit SH1MMER, unplug everything, reconnect the battery, and reconnect the charger.
    5. Boot up and press Ctrl+D to enter Developer Mode.
    6. When completed, use Ctrl+ALT+SHIFT+R to powerwash
    7. After powerwashing, immediately enter VT2 with Ctrl+Alt+F2 (→), login as "root" and run these commands:

      tpm_manager_client take_ownership

      cryptohome --action=remove_firmware_management_parameters

      If it fails, try downgrading to v110 if possible. If you can't, use E-Halycon instead.

    8. Press Ctrl+Alt+F1 (←), and use Ctrl+Alt+Shift+R to powerwash again.
    NOTE: If you have a dedede board, your WP method is probably different. Look your model up online to find the WP method.

    What now?

    You will now be able to, among other things, unenroll your Chromebook. It will now behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions. After you do this and get past the "determining device configuration" screen, you will be able to actually turn dev mode on.

    Note that while unenrolled, it is recommended to add your personal account first, then add your school account, then switch between the two as needed. Mercury Workshop does not condone the use of SH1MMER or unenrolling to cheat in school.

    The biggest challenges with unenrolling are connecting to the school network and taking state or national exams (since there are no kiosk apps anymore).

    There are many methods to get a school Wi-Fi password while enrolled, including the policy netlog trick. While on a school account and unenrolled, you can bypass Wi-Fi blocks by using a secure DNS such as Cloudflare 1.1.1.1 from chrome://os-settings/osPrivacy. It is also recommended to enable "MAC Address Randomization" in chrome://flags to stay hidden.

    To take a kiosk exam, the safest option is to re-enroll temporarily. Instructions for doing that are hosted at kiosks.txt. Saving a copy of this file for future reference is probably a smart move.