Read only mirror: a set of scripts for spoofing verified and enrolled on a developer-mode chromebook
Toshit bddf2116fa Update README.md | 8 mēneši atpakaļ | |
---|---|---|
lib | 1 gadu atpakaļ | |
.gitignore | 1 gadu atpakaļ | |
.gitmodules | 1 gadu atpakaļ | |
ISSUE_TEMPLATE | 1 gadu atpakaļ | |
LICENSE | 1 gadu atpakaļ | |
Makefile | 1 gadu atpakaļ | |
README.md | 8 mēneši atpakaļ | |
autoupdate.sh | 1 gadu atpakaļ | |
backdoor.c | 1 gadu atpakaļ | |
chromeos_startup.sh | 1 gadu atpakaļ | |
cr50-update.conf | 1 gadu atpakaļ | |
crossystem.sh | 1 gadu atpakaļ | |
crossystem_boot_populator.sh.pre | 1 gadu atpakaļ | |
fakemurk-daemon.sh | 1 gadu atpakaļ | |
fakemurk.sh.pre | 8 mēneši atpakaļ | |
fakemurk_lib.sh.pre | 1 gadu atpakaļ | |
fwmp-race-sa.sh | 1 gadu atpakaļ | |
header.sh | 1 gadu atpakaļ | |
image_patcher.sh.pre | 1 gadu atpakaļ | |
keymap.map | 1 gadu atpakaļ | |
logkeys.elf | 1 gadu atpakaļ | |
mush.sh | 1 gadu atpakaļ | |
mwtrollinggoogleforfakemurk_VPD | 1 gadu atpakaļ | |
patchpolicy | 1 gadu atpakaļ | |
pollen.json | 10 mēneši atpakaļ | |
pre-startup.conf | 1 gadu atpakaļ | |
troll.txt | 1 gadu atpakaļ | |
vpd.sh | 1 gadu atpakaļ | |
vpd_get_value.sh | 1 gadu atpakaļ |
murk - "mûrk": noun
1. To re-enroll a previously shimmered chromebook.
The Skid Dictionary of the English Language, 7th Edition.
fakemurk
is a tool intended for use on an already unenrolled chromebook. It will allow you to re-enroll, making your chromebook appear identical to an enrolled one, except keep developer mode, and even boot off a linux USB, all while tricking chromeOS into thinking you're in verified mode, so your chromebook will not show up any different from the hundreds of other chromebooks in your enterprise's google admin console.
[!WARNING] Fakemurk still reports that the chromebook was switched into devmode. See issue 12.
If you're interested, check out coolelectronics's writeup/blog
We're going to assume that if you're reading this, there's a 99% chance you're either a student, (or hey maybe even a sysadmin for a school), and you've probably recently used sh1mmer on your chromebook.
Now, we're also going to go out on a limb here and say that if you're a student, there's a good chance your local sysadmin does not want you to be unenrolling, and if you have a more nosy one, they're gonna try and find people unenrolling. There's also a good chance you didn't properly cover your tracks, and certain logs in the google admin console can reveal you. Your school might also require the use of kiosk apps for tests, and you might not know how to spoof them. You also might not know your school's wifi password, but still want to be free of restrictions and spying at home
The list goes on.
For best results, we recommend recovering with a 107 recovery image prior to running the script. It makes things more consistent and less likely to randomly fail. Fakemurk will not work on anything above ChromeOS v116. It will give you either, a sshd error, or it will say ChromeOS is missing or damaged. So don't try it.
First, you want to already have an unenrolled chromebook and you want to turn devmode on. You also might want to prepare a USB with the linux distro of your choice (or maybe chromeos flex). Install MrChromebox's RW_LEGACY bios if you haven't already.
Next, head over to chrome-untrusted://crosh, type shell
and then type out the following commands one by one
sudo -i
bash <(curl -SLk https://github.com/MercuryWorkshop/fakemurk/releases/latest/download/fakemurk.sh)
Do everything it tells you to, and your chromebook will reboot.
If you get an error about a filesystem being readonly run
fsck -f $(rootdev)
then reboot
If you simply press ctrl-d on the devmode screen and proceed as normal, there's a good chance you'll be stuck on the "enrolling device" screen forever, then get an enrollment error complaining about a certificate.
IF THIS HAPPENS, what you want to do is press refresh+power to reboot the chromebook, when it gives you the os verification screen press space to disable devmode, and then press refresh+power. This will result in a "Chrome OS is missing or damaged" screen. THIS IS SUPPOSED TO HAPPEN!. Press escape+refresh+power, then ctrl+d and enter to reenable devmode. When you get back to the "OS verification screen" press Ctrl-D to boot.
If you get another "Chrome OS is missing" screen, and you're absolutely sure that you didn't press space after the re-enable step, you might have run into a semi-common bug. We haven't pinned down the cause of this yet, but it can usually be fixed by downgrading/recovering to a 107 or 105 image, then restarting all the steps from the beginning, but make sure to omit the devmode cycle steps above, and just keep devmode on the entire time.
Also, DO NOT use the sign out button to sign out of ChromeOS, use Power + Refresh or Reboot in crosh. If you use the sign out button there is a 90% chance your Chromebook will freeze then when it reboots, you will need to use Sh1mmer's disable block dev mode to remove the screen, don't worry. This is not the firmware blocking dev mode, just ChromeOS. So you can still use the Sh1mmer disable block dev mode on any CR50 version.
(note that if you have a "dedede" chromebook, the steps for enabling and disabling devmode are slightly different but you should already know or know how to google)
fakemurk does not fake reporting what version you're on. The longer you stay on the same version with fakemurk could start to raise flags as your version will be much lower. After a few months, consider recovering with a v107 recovery image, then run sh1mmer to unenroll, then update to 111 or whatever the latest stable version is, then use fakemurk, and repeat on new releases. You only need to do this every once in a while.
ChromeOS interally uses a library called "crossystem" (chrome os system), which reports critical low-level information about the current state of the system, such as the hardware ID, and importantly here whether devmode is enabled or not. Since a lot of low level ChromeOS code is written in bash, it couldn't have crossystem be a c++ library, so it gets compiled to a static binary on the system instead. crossystem
isn't the only internal library written like this, but it's the most important one. Again, if you want to know more about how this works, look at the writeup
Since the system trusts this crossystem file to tell if devmode is enabled and snitch about its status to the Google Admin Console, we can make our own version of this file that perpetually reports devmode being off, even though the system still lets us boot unverified versions of ChromeOS.
This limbo state, however, comes with strings attached. As the OS thinks we're in verified mode, typing shell
into crosh, and escalating to root with sudo
does not work. Luckily, since the firmware is in developer mode, we can disable rootfs verification and drop a backdoored sshd config, as well as replace any binary in the system with our own custom script. This is where mush
comes into play.
mush
is a drop-in replacement for crosh, offering various utilites such as a shell and more. mush is what really ties fakemurk together, making it more than just developer mode on verified boot. With mush, you have full OS control without leaving CrOS. This effectively means you are in a pseudo developer mode, where as far as the OS is concerned everything is normal, but you have full behind-the-scenes shell access.
Mush contains the following features:
By default, the script will modify policies allowing you to do the following:
Easy! While fakemurk is installed, go into your downloads folder (NOT GOOGLE DRIVE), make a folder and call it "disable-extensions". As long as that folder exists, no extension will be able to load and you'll be able to visit crosh, where you can then delete the folder and use mush to gain more fine-grain control over the specific extensions you want to enable.
If this doesn't work, there's an 85% chance you did something really dumb while installing and need to read the directions more carefully. You should NOT ping or dm any of the creators about your failure.
Now, there's also the chance that something is genuinely broken and if you get the text "THIS IS A BUG, REPORT IT HERE https://github.com/MercuryWorkshop/fakemurk/issues"
, you should do just that, but making sure you don't see any duplicates first. Follow the issue template
Use the titanium network discord for any further questions, please don't harass anyone in dms.