Unenrolling via sh1mmer as well as downgrading are impossible in versions after chromeOS 111

[ItsTact]

i don't want to spend 20 more hours trying to get chrome 112 to downgrade with various bash commands that don't work if someone else has found a solution

[mylesbartlett72]

you dont need bash commands to downgrade, you just need a recovery usb. You need shell commands to block fw upgrade.
IMPORTANT: DO NOT RUN THE SH1MMER BUILD TOOL ON THE RECOVERY USB, FLASH IT DIRECTLY

You can use fakemurk to block updates automatically, and make your chromebook appear enrolled still.

If you want to sign in with a home account instead (i.e. you don't want to use fakemurk):
After downgrading, you can use sh1mmer mostly as normal. Some stuff doesnt work (since 112 patched the security chip firmware, and you cant downgrade that), but you can still unenroll. Once unenrolled, get developer mode with the standard procedure (the one for chromebooks that are not enterprise-enrolled, you cannot do it from sh1mmer with the security chip fw update). Once you get back to Chrome OS, do not connect to a network, but switch to virtual terminal 2. Disable rootfs verification, then reboot. Get back to vt2. Replace the unit file for the update service with a dummy one that does nothing. Reboot again, switch to vt2 again, and verify the change to the unit file persisted. If it did, you can now connect to a network and set up Chrome OS.

This is basically what I did, except I used sh1mmer before the patch, so I cannot verify whether you can e.g. get vt2 on the sign in screen. I can confirm replacing the update service unit file with a dummy one (e.g. prepend a hashtag to every line to make it all comments) does indeed prevent updates from occurring, at least on 110.

[ItsTact]

i already succeeded in using sh1mmer on 108, but me being dumb updated to 112 to use linux, and then i couldn't downgrade to do anything, as all of the sh1mmer build utilities lead to a line 73 error.

are you sure what you're saying applies here?

[mylesbartlett72]

i already succeeded in using sh1mmer on 108, but me being dumb updated to 112 to use linux, and then i couldn't downgrade to do anything, as all of the sh1mmer build utilities lead to a line 73 error.

are you sure what you're saying applies here?

huh let me look at that to see if there is anything obvious

Are you using the web builder or the local one?

[mylesbartlett72]

Line 73 of wax.sh looks like this:
echo "Injecting payload"
are you using wax_macos.sh by any chance?

(on wax_macos.sh it is a copy operation, which could potentially fail)

[ItsTact]

no
i used the web builder but i am 100% it was working before i updated to 112
downgrading leads me to google's "this is not a valid thing"

[ItsTact]

Message is:
line 73: read: THERE WAS AN ERROR! The utility likely did not work. Press return to continue.

[mylesbartlett72]

no i used the web builder but i am 100% it was working before i updated to 112 downgrading leads me to google's "this is not a valid thing" it might have been line 71 or something but it's where it says the utility didn't work, let me find a ss

huh, not sure how the web builder works (i built locally)

[mylesbartlett72]

Message is: line 73: read: THERE WAS AN ERROR! The utility likely did not work. Press return to continue.

What happens if you, well, press return to continue?

[mylesbartlett72]

wait

I think I recognise that error

[ItsTact]

returns to the menu and then upon restart the device is enrolled again and i can't log in to anything but a school account

[ItsTact]

i am pretty sure this is patched i just want Mr. Cool Electronics here to post part 4 on their blog to see if they have a solution to this instead of me trying and failing to inject code

[mylesbartlett72]

returns to the menu and then upon restart the device is enrolled again and i can't log in to anything but a school account

which option did you select in the menu?

[ItsTact]

GBB, unenroll, and unblock dev mode had the problems i think
i can try again but that takes another couple minutes

[mylesbartlett72]

GBB, unenroll, and unblock dev mode had the problems i think i can try again but that takes another couple minutes

unblock dev mode is known to be broken at the moment

I think you just need GBB and unenroll to work to be able to unenroll (there is a race condition you can abuse from there to get dev mode)

[ItsTact]

what's the "race condition"

[mylesbartlett72]

what's the "race condition"

its not really relevant here, its basically how you can get dev mode even with the patch to the security chip (basically there is a brief window in which you can take ownership of it)

[mylesbartlett72]

GBB, unenroll, and unblock dev mode had the problems i think i can try again but that takes another couple minutes

OK, I have little to no clue why they are going wrong (apart from the fact the unenroll option runs the enable dev mode option as well, which is probably why you get an error with it)

I am going to find out where the gbb flag setting script is, to see if I can figure out what is wrong with it

(by the way, posting error messages verbatim really helps with figuring out what the heck happened)

(also, have you built a new shim and tested that since you first unenrolled? there might have been an update that works around this)

[ItsTact]

i have not done that, i will check later today.
also i only have that one error message i got above
thanks for the help, i'll get back to this

[mylesbartlett72]

oh huh the gbb flag setting script looks like it is part of the stock shims

it looks like the gbb flags utility in sh1mmer just tries to clear all of them

[mylesbartlett72]

Also, have you rolled back your chromeOS version?

chromeOS always checks enrollment starting from version 111 (before, it would only check if the relevant vpd flag was set)

[ItsTact]

i thought i mentioned i'm on version 112

[mylesbartlett72]

i thought i mentioned i'm on version 112

ah yeah that would be it my bad

[mylesbartlett72]

i thought i mentioned i'm on version 112

ah yeah that would be it my bad

you did mention it, I should have made it more clear you need to downgrade

[mylesbartlett72]

https://chrome100.dev/ should have a recovery image for your board

[ItsTact]

the thing is, i can't, so i guess that's it

[mylesbartlett72]

the thing is, i can't, so i guess that's it

what board do you have?

[ItsTact]

octopus
at version 112 when i try to downgrade to 110 it throws "You are using an outdated ChromeOS image"

[mylesbartlett72]

octopus at version 112 when i try to downgrade to 110 it throws "You are using an outdated ChromeOS image"

dangit

[ItsTact]

precisely why i am asking when a part 4 is coming

[mylesbartlett72]

ah yeah

there might be a way to do it, but its a long shot

[ItsTact]

btw i did manage to downgrade to 108 LTS (108.0.5359.230) last night but as the blog says, it was patched in April; 108 LTC 108.0.5359.221) will still refuse to boot on mine

[zeglol1234]

CoolElectronics if you want to make the state of the project more obvious, why don't you put it in the README lol

[ItsTact]

Downgrade using Balena Etcher, download a recovery image from chrome100.dev, flash it and it will work.

No it will not.

[HAHALOSAH]

(ONLY WORKS IF YOUR CHROMEBOOK HAS NEVER UPDATED TO 112 BEFORE, NO LONGER FUNCTIONAL)
Alright, so this is what worked for me

1. Use sh1mmer and fix GBB
2. Downgrade to older ChromeOS with an image from https://chrome100.dev
3. Go back to sh1mmer, fix GBB & deprovision, then disable updates
4. Enable OS verification
5. Go through chromebook setup screen until it asks who is using this, then you can enable developer mode if you want

[zeglol1234]

dead chat 💀

[TheMemeSniper]

shut the fuck up

[Nametag71]

what's the "race condition"

its not really relevant here, its basically how you can get dev mode even with the patch to the security chip (basically there is a brief window in which you can take ownership of it)

how do you do that?

[mylesbartlett72]

what's the "race condition"

its not really relevant here, its basically how you can get dev mode even with the patch to the security chip (basically there is a brief window in which you can take ownership of it)

how do you do that?

fakemurk sets it up automatically, but to use fakemurk you need to be able to use sh1mmer

you could probably take a look at the fakemurk code and rip that part out, but idk which partition of the shim you would need to put it in (if its the kernel partition, you cant, but if its the rootfs, you probably can if you set everything else up correctly)

[velzie]

112 blocks modification of certain tpm values during recovery boot mode specifically. no commands will help. there are several methods of unenrolling past 112 if you're willing to take write protection off, which requires taking off the back of your chromebook (for example setting gbb flags)
if that's out of your scope, you'll have to wait for our semi-patch-bypass to release in a stable state

[Nametag71]

i don't want to spend 20 more hours trying to get chrome 112 to downgrade with various bash commands that don't work if someone else has found a solution

take out the battery, run the unenroll script and you should see an error, go to bash and type "/usr/share/vboot/bin/set_gbb_flags.sh 0x8090", then you should be able to use dev mode and downgrade because it works in dev mode and sign in and update it afterwards. Hope this helps.

[ItsTact]

i don't want to spend 20 more hours trying to get chrome 112 to downgrade with various bash commands that don't work if someone else has found a solution

take out the battery, run the unenroll script and you should see an error, go to bash and type "/usr/share/vboot/bin/set_gbb_flags.sh 0x8090", then you should be able to use dev mode and downgrade because it works in dev mode and sign in and update it afterwards. Hope this helps.

The problem with this approach is that upon reaching the signing in page the chromebook errors with something something time-lock management something, because the chromebook realizes it's not supposed to be in dev mode but it is. the bottom left sign in with personal account button doesn't work upon clicking

[velzie]

that's not a problem with the method it's an occasional odd chromebook bug that is fixed by powerwashing or recovering

[ItsTact]

but like i tried it about 10 times...

[velzie]

it's not a problem with either sh1mmer nor the gbb method, go somewhere else for your issues

[trevorwatkins1129]

Hmm. I'm on Dedede with ChromeOS v112.0.5615.134, and it works fine for me.

[bobeatsshit]

Maybe a stupid question but could you just replace the version of an older recovery image and just trick the chromebook check?

[ItsTact]

sh1mmer website was updated with instructions, if they don't work then cope harder

[velzie]

(reopening as full instructions haven't been added yet, will close when we finish with adding the alternative methods)

[velzie]

fixed by https://fog.gay

[onsomlem]

no i used the web builder but i am 100% it was working before i updated to 112 downgrading leads me to google's "this is not a valid thing"

Try doing this:
Hold the esc + refresh/f3 + powerbutton,
for a little or just press it 🤷. Once your screen stops moving and says insert recovery media just press:
ctrl + d*,
(*the letter d on your keyboard guys) and then: enter (to continue how it says on your screen right now if you're following)
when your screen says " OS verification is off DO NOT PRESS SPACE
instead press: esc + refresh/f3 + powerbutton and then plug your recovery media in once the screen says to. it should not complain about your recovery media not being up to date . If it does not work my knowledge is now obsolete and i quit cuz i put my life force into this 💀

[ben10101010]

Or, you could follow the intructions on the sh1mmer website, which tells you how to turn off WP, then unenroll your chromebook. Didn’t work for me though, I might have to get a special cable to disable it.

[inLnx]

yall still here?