If you’re here just for instructions, click here.
One day I was looking around a person’s blog when I stumbled across one of their posts named “Breaking chromeOS’s enrollment security model: A postmortem”. I was intrigued, but there were a few things that were wrong with their post which prompted me to create a post of my own with the correct fixes.
As of Dec 27, 2023, their blog has fixed the incorrect listed pins.
Please understand that I DO NOT RECOMMEND DOING THIS. It is risky, dangerous, and not easy to do for beginners. Please attempt at your own risk. Any damages made is your own fault. Not mine, or others.
- Conductive Material: Staple, Tin Foil, Paperclip, etc.
- Scissors: $4 avg.
- Tape: $4 avg. (Recommended, but optional)
- USB or SD Card with SH1MMER
- Screwdriver corresponding to your Chromebook screws
- Competence and courage, because I don’t recommend this.
Opening The Chromebook
First, you will need to open up your Chromebook using, most likely, a Phillips screwdriver. After that, disconnect the battery on the Chromebook. Methods to disconnect the connector may vary on each model.
Afterword, look around the Chromebook motherboard and look for a small 8-pin chip with pins sticking out or in. These chips tend to have WINBOND or GIGADEVICE branding, and may either say 25Q64[xx] or 25Q128[xx] right below the branding. You may need to flip over the motherboard to find this chip.
Your Chromebook may have multiple of these chips, just look for the one that is most similar to the description stated or most similar to the pictures provided below.
Please understand that the SOIC-8 chip, the one on the left or appears second, is much easier to bridge than the WSON-8 chip, the one on the right or appears first.
Now you’re going to have to use the picture(s) below as reference on what pins to bridge, as this is important. These are the charts for both of the chips:
“How do you bridge these pins?” This is where the supplies you got earlier comes into play, as they’ll be how you can bridge these pins.
Take a piece of your conductive material and shape it into something that’s long enough to get to either side of the chip while being small enough to not make contact with multiple pins on either side of the chip. I cannot provide measurements as the chip size is different on each model.
Through using the charts listed above, look for the circle/indent on the chip so you can know where each pin is located. From here, take your conductive material and place one end on pin 3 (WP) and place the other end on pin 8 (VCC). MAKE SURE it’s making contact with the pins and IS NOT making contact with other nearby pins. You may place tape on top of the chip to keep the conductive material on the pins, but that’s if you have to.
Use the picture below to know where to put the tin foil and tape:
- Green: Indent / Circle
- Red: Conductive Material
- Blue: Tape
Booting Into SH1MMER
After the pins are securely bridged, you may plug in the charger (or the battery) alongside all the other necessary cables and boot the Chromebook. Once it has booted, boot into SH1MMER as you normally would. Disable OS verification (blocked or not), boot into the “Insert Recovery Media” screen, and plug in your SH1MMER USB or SD card.
Enter the Utilities screen and run “Un-Enroll Device” (or “Deprovision Device” if Legacy). This won’t do anything currently, but it’s a necessary step. After that, enter the Bash Shell and then run the following commands. It should end up like the picture below:
flashrom --wp-disable /usr/share/vboot/bin/set_gbb_flags.sh 0x8090
If the commands fails here, you need to repeat the Bridging Pins instructions.
Booting into ChromeOS
Reboot the Chromebook and get past the OS verification screen by pressing CTRL + D. After waiting 5 minutes and booting into ChromeOS, DO NOT PROCEED WITH THE SETUP SCREEN. Instead, enter the VT2 shell by pressing CTRL + ALT + F2.
Log into the shell as root and then run the following commands. It should end up like the picture below:
tpm_manager_client take_ownership cryptohome --action=remove_firmware_management_parameters
Both the commands should report success, and if they do, that’s great! Simply exit out of the VT2 shell by pressing CTRL + ALT + F1, then powerwash the Chromebook by pressing CTRL + ALT + SHIFT + R. Once it’s powerwashed, you may go through the setup screen and it shouldn’t re-enroll anymore!
I don’t know what to say except that I extremely do not recommend doing this. It’s a difficult process for new users that don’t know how to bridge pins, and it’s very easy to brick your Chromebook doing this.
There have already been reports of people bricking their Chromebook in servers like the SH1MMER Discord or the TitaniumNetwork Discord. These are because of bridging incorrect pins, bridging multiple pins, or many other reasons.
Note: Some of these reports don’t have any evidence, but it probably did happen.
All in all, just don’t do this shit. If your Chromebooks bricks, that’s on you. But if you do this and your Chromebook ends up being unenrolled, then congratulations. You took the risk for a huge reward, and now you can do whatever the hell you want on that Chromebook.
For me, I have OCTOPUS and JACUZZI Chromebooks where I can downgrade to any version anytime I want and use SH1mmer cause I used this guide, so I don’t need to do this.
Not like I’d ever do this myself anyways.