Bronac
Mixed Reality Developer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Have a chromebook that is managed by your pesky school or workplace? Hate their restrictions? Can't enable dev mode?
I've got your solution.
FIRST:
This will only work if your institution does not have a proxy or web filter service (i.e. Zscaler), it will only work at home or at a place where the internet connection is not modified or filtered, etc. i.e. your home WiFi.
This will wipe all of the local files and downloads on the device so make sure you've backed them up first.
The method exploits the Guest account feature of Chrome OS which is temporary (meaning nothing is saved).
When you close the lid of the device and open it back up, it might log you out of the Guest account and force you to start over.
This takes a little bit of time, so don't do it before an exam or something stupid like that.
WARNING: I do not take responsibility for fucking up your BIOS or bricking your chromebook. If you get caught by your IT staff, you should stop browsing this sub forum forever, because you're not ready to do things like this. I didn't suggest you do this, I just showed you how, so it's up to you to be responsible for it.
This will also only work if your institution has forced re-enrollment, doesn't allow dev mode, forces you to login using your issued email (the one they gave to you, not your i.e. Gmail account or regular/personal Google account) andallows for re-enrollment of the device using your institution issued account (meaning that when you get to the re-enrollment screen, you don't need to know the Gsuite/Google Admin 's login info to re-enroll the device back into the domain).
First step!
- Open your chromebook lid and make sure it has an adequate level of battery. Make sure you are either at the sign-in screen or already signed in. Press the ESC + REFRESH (⟳) + POWER buttons at the same time. Hold the ESC + ⟳ keys until the screen turns back on.
- The screen will display something along the lines of telling you Chrome OS is missing or damaged and to enter a recovery USB stick; press CTRL + D once and follow on-screen instructions to proceed with turning off OS Verification until the chromebook restarts yet again.
- When it restarts, you should see the screen "OS Verification is off. Press space to re-enable it again" with a picture of a chromebook screen and a big red exclamation point in it. Press CTRL + D once.
- Assuming (it should be or you don't need this tut) it tells you dev mode is blocked and will restart your device in verified mode, essentially bringing you to the startup screen saying "Welcome!" with a "Let's go" button at bottom right and other non-important shit to the bottom left.
- YOU WILL NEED AN INTERNET CONNECTION THAT DOES WORK AND FUNCTION CORRECTLY; WE WILL BE MESSING WITH THE PROXY SETTINGS TO FAKE THE OS OUT INTO THINKING YOU DON'T
- Once at the Welcome! screen, press the keys CTRL + ALT + LSHIFT + D once and make sure there is no text entered in the box. If it is already blank, click cancel, if there is text in it, delete it and click restart and wait a few seconds.
- Now, press CTRL + ALT + LSHIFT + H and press "Yes" on the dialogue that appears (if nothing comes up, skip this step). Wait for it to restart then press again CTRL + ALT + LSHIFT + D and erase all text in the text box and press the Restart button.
- Wait for restart and then press the bottom right corner blue "Let's go" button.
- Pick your WiFi network and connect to it. Once connected, repeat the above three steps until you are again back on the Welcome! screen.
- Once you've done that, notice how Chrome OS is still connected to your WiFi network, but not automatically booting you to the next step; this is what this whole exploit is based off of.
- Click the Let's go button again, and it will bring you to the network selection screen again as it already had done in the previous steps. This time, however, you need to click the option (scroll down to the bottom if needed) second to the bottom of the network list labeled "Proxy Settings".
- On the dialogue that appears, uncheck the option to "Configure IP address automatically" and change the last number in the IP address box by an increment of +4/-4. Ex if your IP (that is predefined in that box, not you 192.168.x.xx local router IP that you use to manage your router, although this might be the one listed in the box but you won't need to change but the last digit) is 10.250.6.54, change it to 10.250.6.50 (increment of -4 once). If the last digit is for example .3 or anything less than .4, increase it by +4 instead of -4 (no negative IP values).
- Then, head on down to the Name servers section and if the option "Automatic name servers" is selected, change it to "Google name servers". If it's on Google's, change it to automatic.
- After this, close out of the dialogue.
- Now, click the Next button at the bottom right.
- Your chromebook will now attempt to check for updates, which it cannot do because we tampered with and invalidated the connection after Chrome checks to see if it is valid. This is its flaw.
- Wait a few minutes for Chrome to give up trying to check for updates in which you will be presented with a screen that informs you that it could not check for updates and failed to do some other validation shit; in which this body of text you will see a blue "link" stating that you can try to login as (a) Guest to try and solve/fix the problem. Click this.
- You will then be logged in as a Guest user and therefor free of all the restriction put onto you by your institution, because Chrome has not yet "Determined device configuration" and thus for not yet re-enrolled your device.
- You now have complete internet and device freedom until you either restart the device or close the lid (some models not all. You can tell the chromebook not to sleep when the lid is shut via the settings app; just search for "sleep".). Make sure you go back into the WiFi configuration settings and recheck "Configure IP address automatically" and change back to the name servers option that was already pre-set before you changed it above so you can actually access the internet.
- This is the farthest I've messed with the Guest account and there is probably a way to further exploit it and even sign in to your personal account and not your institution email and maybe bypassing the enrollment process. You can indeed sign in to your Google account so you can access stuff like Gmail and whatnot but it will not sign in to the actual chromebook, just the browser.
Step 2:
- Once you're done with this and want to sign back into the chromebook itself, just simply press the buttons ⟳ + POWER once which will restart the device and bring you back to the Welcome! screen.
- Follow all the normal on-screen steps and instructions in re-enrolling your device into your domain. BE SURE TO NOT CHANGE THE ASSET IDENTIFIER AND DEVICE LOCATION AS IF YOU DO YOUR DOMAIN/IT ADMIN WILL BE ABLE TO NOTICE IT CHANGED IN THEIR GOOGLE ADMIN CONSOLE AND THEY WILL KNOW YOU MESSED WITH THE DEVICE. SO JUST DON'T DO IT.
This is a fairly lengthy process, yes, but it gets the job done. I will continue to try and exploit the Guest account feature in hopes of being able to bypass enrollment altogether or being able to enroll it in my own domain and removing the restrictions. If I do, I'll update this thread.
Hope this helps!, and if you have any problems when following this tut just shoot me a PM and I'll help you through it.
I've got your solution.
FIRST:
This will only work if your institution does not have a proxy or web filter service (i.e. Zscaler), it will only work at home or at a place where the internet connection is not modified or filtered, etc. i.e. your home WiFi.
This will wipe all of the local files and downloads on the device so make sure you've backed them up first.
The method exploits the Guest account feature of Chrome OS which is temporary (meaning nothing is saved).
When you close the lid of the device and open it back up, it might log you out of the Guest account and force you to start over.
This takes a little bit of time, so don't do it before an exam or something stupid like that.
WARNING: I do not take responsibility for fucking up your BIOS or bricking your chromebook. If you get caught by your IT staff, you should stop browsing this sub forum forever, because you're not ready to do things like this. I didn't suggest you do this, I just showed you how, so it's up to you to be responsible for it.
This will also only work if your institution has forced re-enrollment, doesn't allow dev mode, forces you to login using your issued email (the one they gave to you, not your i.e. Gmail account or regular/personal Google account) andallows for re-enrollment of the device using your institution issued account (meaning that when you get to the re-enrollment screen, you don't need to know the Gsuite/Google Admin 's login info to re-enroll the device back into the domain).
First step!
- Open your chromebook lid and make sure it has an adequate level of battery. Make sure you are either at the sign-in screen or already signed in. Press the ESC + REFRESH (⟳) + POWER buttons at the same time. Hold the ESC + ⟳ keys until the screen turns back on.
- The screen will display something along the lines of telling you Chrome OS is missing or damaged and to enter a recovery USB stick; press CTRL + D once and follow on-screen instructions to proceed with turning off OS Verification until the chromebook restarts yet again.
- When it restarts, you should see the screen "OS Verification is off. Press space to re-enable it again" with a picture of a chromebook screen and a big red exclamation point in it. Press CTRL + D once.
- Assuming (it should be or you don't need this tut) it tells you dev mode is blocked and will restart your device in verified mode, essentially bringing you to the startup screen saying "Welcome!" with a "Let's go" button at bottom right and other non-important shit to the bottom left.
- YOU WILL NEED AN INTERNET CONNECTION THAT DOES WORK AND FUNCTION CORRECTLY; WE WILL BE MESSING WITH THE PROXY SETTINGS TO FAKE THE OS OUT INTO THINKING YOU DON'T
- Once at the Welcome! screen, press the keys CTRL + ALT + LSHIFT + D once and make sure there is no text entered in the box. If it is already blank, click cancel, if there is text in it, delete it and click restart and wait a few seconds.
- Now, press CTRL + ALT + LSHIFT + H and press "Yes" on the dialogue that appears (if nothing comes up, skip this step). Wait for it to restart then press again CTRL + ALT + LSHIFT + D and erase all text in the text box and press the Restart button.
- Wait for restart and then press the bottom right corner blue "Let's go" button.
- Pick your WiFi network and connect to it. Once connected, repeat the above three steps until you are again back on the Welcome! screen.
- Once you've done that, notice how Chrome OS is still connected to your WiFi network, but not automatically booting you to the next step; this is what this whole exploit is based off of.
- Click the Let's go button again, and it will bring you to the network selection screen again as it already had done in the previous steps. This time, however, you need to click the option (scroll down to the bottom if needed) second to the bottom of the network list labeled "Proxy Settings".
- On the dialogue that appears, uncheck the option to "Configure IP address automatically" and change the last number in the IP address box by an increment of +4/-4. Ex if your IP (that is predefined in that box, not you 192.168.x.xx local router IP that you use to manage your router, although this might be the one listed in the box but you won't need to change but the last digit) is 10.250.6.54, change it to 10.250.6.50 (increment of -4 once). If the last digit is for example .3 or anything less than .4, increase it by +4 instead of -4 (no negative IP values).
- Then, head on down to the Name servers section and if the option "Automatic name servers" is selected, change it to "Google name servers". If it's on Google's, change it to automatic.
- After this, close out of the dialogue.
- Now, click the Next button at the bottom right.
- Your chromebook will now attempt to check for updates, which it cannot do because we tampered with and invalidated the connection after Chrome checks to see if it is valid. This is its flaw.
- Wait a few minutes for Chrome to give up trying to check for updates in which you will be presented with a screen that informs you that it could not check for updates and failed to do some other validation shit; in which this body of text you will see a blue "link" stating that you can try to login as (a) Guest to try and solve/fix the problem. Click this.
- You will then be logged in as a Guest user and therefor free of all the restriction put onto you by your institution, because Chrome has not yet "Determined device configuration" and thus for not yet re-enrolled your device.
- You now have complete internet and device freedom until you either restart the device or close the lid (some models not all. You can tell the chromebook not to sleep when the lid is shut via the settings app; just search for "sleep".). Make sure you go back into the WiFi configuration settings and recheck "Configure IP address automatically" and change back to the name servers option that was already pre-set before you changed it above so you can actually access the internet.
- This is the farthest I've messed with the Guest account and there is probably a way to further exploit it and even sign in to your personal account and not your institution email and maybe bypassing the enrollment process. You can indeed sign in to your Google account so you can access stuff like Gmail and whatnot but it will not sign in to the actual chromebook, just the browser.
Step 2:
- Once you're done with this and want to sign back into the chromebook itself, just simply press the buttons ⟳ + POWER once which will restart the device and bring you back to the Welcome! screen.
- Follow all the normal on-screen steps and instructions in re-enrolling your device into your domain. BE SURE TO NOT CHANGE THE ASSET IDENTIFIER AND DEVICE LOCATION AS IF YOU DO YOUR DOMAIN/IT ADMIN WILL BE ABLE TO NOTICE IT CHANGED IN THEIR GOOGLE ADMIN CONSOLE AND THEY WILL KNOW YOU MESSED WITH THE DEVICE. SO JUST DON'T DO IT.
This is a fairly lengthy process, yes, but it gets the job done. I will continue to try and exploit the Guest account feature in hopes of being able to bypass enrollment altogether or being able to enroll it in my own domain and removing the restrictions. If I do, I'll update this thread.
Hope this helps!, and if you have any problems when following this tut just shoot me a PM and I'll help you through it.