FCPS Tech exploits

A list of functioning offline downloads for all of the stuff on my website after it got blocked, as well as instructions for bypassing consorship and jailbreaking school computers in FCPS.

Warning

Sh1mmer and most recent unenrollement exploits work on FCPS chromebooks. If you somehow have a Ti50 board (which you probably dont, so things SHOULD work normally) use the Ti50 version of the Pencil Bypass¹ . View the writeup here.

Recent leaks from inside DIT have proven than most, if not ALL chromebooks in FCPS have cr50 boards.

These hacks might not work on computers outside of FCPS because every district and/or county uses different software and hardware.

Shimboot works, PROBABLY with similar issues.

Legal disclaimer and anti-censorship statement

This repo has been created to help students bypass and combat district censorship and restrictions. I DO NOT endorse or encourage the useage of the following exploits for cheating, theft, and/or harmful activity (including, but not limited to exploiting cybersecurity).

To FCPS DIT: CIPA does NOT give you the legal right to compromise student privacy on the internet and/or limit access to information on the internet, which IS a right of all students. The purpose of this "exploit doc" is to help people protest excessive censorship and unethical DIT practices. Action taken against people who use these exploits can be ground for legal counteraction.

To learn more, please visit https://redflagmachine.com/research/ for an example of the censorship and rights violations that are incurred via internet censorship.

Chromebooks

Most people at FCPS have been switched to chromebooks, which are much harder to jailbreak than to old Windows laptops.

G10 chromebooks (drawper) have cr50 chips, which the G11 ones (yavijo) have might, but probably dont have ti50, making it harder to unenroll if you have a ti50.

According to a high-level leak from inside DIT, MOST, if not all FCPS chromebooks have ti50. Highschool Drawper chromebooks have cr50 chips (proof), while the middle school Yavijo ones are ti50 capable, but we have older models that have cr50 chips (proof).

If something doesnt work for some reason, it MIGHT be because you are unfortunate enough to have a ti50, in which case you are out of luck, unless you can BYOD.

To prevent admin from finding out about your unenrollment, use fakemurk or murkmod (recommended) to fake enrollment. See the corresponding section below for more details.

This document might also be useful for unenrollment

Sh1mmer

As of September 16th (2024 I think), sh1mmer with the tsunami bypass has been confirmed working with ChromeOS r128. This exploit allows for unenrollment and the ability to switch into developer mode, plus other things.

FCPS Chromebooks come in two models - HP Fortis G10 and G11. You can check this on the underside of the chromebook, which will usually be under the FCPS barcode (this varies from school to school).

G11 Chromebook: nissa

G10 Chromebook: dedede

Full writeup is available here: https://github.com/catfoolyou/Block-Bypass/blob/main/shimmer.md

Shimboot

Shimboot is an exploit based on sh1mmer that boots a linux distribution off a USB or a spoofed unenrolled chromeOS. It works because the rootfs of the shim (a recovery image) is not verified, meaning that it can be replaced with whatever else.

FCPS High School chromebooks (drawper) have NOT been tested with shimboot yet.

Full writeup is available here: https://github.com/catfoolyou/Block-Bypass/blob/main/shimboot.md

Br1ck

It is capable of unenrolling all devices with a Cr50 chip on the latest version, v130. It has a low chance of being patched without a release of a new Chromebook model.

Theoretically it should work on all FCPS chromebooks, and some people have actually used it successfully.

nissa chromebooks (the G11 ones) will PROBABLY not work. Don't come back here bitching about it.

Full writeup and instructions are here: https://br1ck.vercel.app/

SuzyQ cable exploit (requires unenrollment)

Full explanation here: https://docs.mrchromebox.tech/docs/firmware/wp/disabling.html and here https://docs.mrchromebox.tech/images/wp/Drawman_wp.jpg

This will allow you to disable Hardware WP without opening your device, and this may not work on all devices. You also need to be unenrolled first or have FWMP off with Developer Mode on.

Please note to do this Kajig you need to own a SuzyQ cable or adapter, I won't be guiding you on where to buy one but if you would like to make one here are some schematics: https://cdn.sparkfun.com/assets/9/e/f/8/2/951-00273-01_20180607_suzyqable_SCH_1.pdf

Now that you got your SuzyQ, here's what you do next.

Open a root shell on your Chromebook, this can be on a shim or within crosh, doesn't matter

Run gsctool -a -o, whenever it tells you to Press PP, press the power button

At the end of that process it'll restart and you'll be out of Developer Mode, turn it back on and head back to the terminal

Plug in your SuzyQ, on most devices you'd use the Right USB C port and then plug the USB A in anywhere, try your other ports if that doesn't work for you.

Once it's plugged in, in the lsusb command you should see the CR50 with an 18d1:5014 USB ID, if you don't see this try replugging.

Now that you see that, make sure that the TTY is open via running ls /dev/ttyUSB*, you should see TTY 0, 1, and 2.

To disable WP, run each of these one by one echo "wp false" > /dev/ttyUSB0

echo "wp false atboot" > /dev/ttyUSB0

echo "ccd reset factory" > /dev/ttyUSB0

Reboot, then run flashrom --wp-disable

Run crossystem wpsw_cur, this should output 0.

Downgrading kernel versions (kernver version switcher), requires unenrollment

To prevent most exploits being patched, you can downgrade both chrome version and kernver to something manageable.

Use KVS, with a full writeup and instructions available here: https://github.com/kxtzownsu/KVS

Get images from chrome100.dev

G11 Chromebook: nissa

G10 Chromebook: dedede

Full instructions are available here: https://chrome100.dev/guide

GBB flags (requires unenrollment)

Use Rigtools to set GBB flags and fix shit on your chromebook

https://binbashbanana.github.io/gbbflaginator/

https://docs.titaniumnetwork.org/kajigs/rigtools/

Idfk what this is, Jones was bitching about it so it could be good

It may be possible on unenrolled Chromebooks with developer mode enabled to run vpd—i RW_VPD -s check_enrollment=1 in VT2 to bypass policy and re-enroll. An exploit kit named Rigtoolsv2 also claims to have functionality called Riienrollment, which can also bypass enrollment policy set in the admin console.

Fakemurk/murkmod (requires unenrollment)

To prevent admin from checking unenrollment via GAC (admin console) and finding unenrolled chromebooks, use FakeMurk or Murkmod.

Note that Fakemurk is UNMAINTAINED, so murkmod is recommended.

Murkmod REQUIRES devmode (set GBB flags to 0x8000, 0x8090, or 0x8091), though you probaby should have that enabled if you unenrolled.

Installation instructions are available here: https://github.com/rainestorme/murkmod/blob/main/docs/installation.md

OLYBmmer/BadRecovery (patched maybe)

BadRecovery unenrolls ALL devices that are EOL before 2024, and can unenroll current supported devices on kernel version 3 or lower.

Instructions are available here: (I am too lazy to make a proper writeup)

https://github.com/BinBashBanana/badrecovery

Webview exploit

A random hole in chrome login that allows for unrestriced browsing (one tab only)

1. Add an account to chrome or go to chrome://chrome-signin on a chromebook
2. Enter [email protected] as the email and complete the captcha/security check
3. Click sign-in options
4. When prompted, click Sign in with Github
5. Click on Docs
6. Scroll to the bottom and click on Pricing
7. In the search bar type "google"
8. In the right sidebar click on google.com
9. You now have a tab that is unaffected by any extensions

Misc exploits

A series of exploits for different ChromeOS versions, some might be outdated or patched. Some might work, I didnt test any of this

https://github.com/S-PScripts/chromebook-utilities/tree/main/Exploits

Chromebook specs

FCPS chromebook specs: https://cros.tech/device/drawper/

HP specs sheet: https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=c07811220

HP specs on website https://support.hp.com/us-en/document/ish_5492565-5492609-16

FCPS chromebook board and shims (recovery images): https://chrome100.dev/board/dedede

BYOD shits and bypasses

Wifi instructions

Based on the recent changes pushed by FCPS, the best way to bypass their restrictions is to BYOD.

You can also do this if you unenrolled your chromebook or flashed a Windows laptop (if you have one somehow)

To properly do BYOD, you probably shouldn't use the FCPS provided installer as your go-to option. Instead, use the wifi passwords in this repo to connect to their wifi directly (if that works). The certs that I managed to get my hands on may or may not work. Afaik it depends on the computer and/or the OS.

To use the installer, sign in a GUEST, NOT with your FCPS username. Download the certs manually and install as per the instructions provided. DO NOT use 2.2.2.2, use https://xprsscnctvm.fcps.edu/enroll/FairfaxCountyPublicSchools/Production/reset instead.

Chrome DNS (BYOD only)

If you are bringing your own computer, you can do this to prevent sites being blocked

Explanation for dumbasses like me

Windows laptops and PCs

FCPS no longer gives out windows laptops to everyone. The previously working methods have been patched on their course specific windows PCs and most likely on the personal windows laptops as well.

CS students are now given access to personal windows laptops instead of chromebooks, but again they will need to be flashed and have their BIOS passwords reset so as to reinstall the OS.

Windows PCs and laptops have a bundled installation of Java 17, located in C:/Program Files (x86)/jGRASP/bundled/java/bin/java.exe. This can be used to run modern Java software, including (but not limited to) Java based source ports of many older games. Look here instructions on running Java ports of Doom and Quake 2 (included as examples.)

The following script is linked as an example of setting up gradle to work with a bundled Java installation. The same repo contains modified build.gradle and gradle.properties for compiling Java applications with a bundled installation.

Chromebook games

Again, use a proxy to access blocked websites. Be advised that games (and sometimes yt) are somewhat laggy over a proxy connection.

If catfoolyou.github.io is blocked, a mirror of my website is available here

Eaglercraft and FNAW:

The latest 1.5.2 and 1.8.8 offline clients are available for download, as well as Five Nights at Winston's.

Other games:

Doom, Retal, Quake, Slope, Bananabread and all of the other games that must run in a web environment cannot be run locally. Might migrate my site soon.

Windows PC games

Quake 2

Download platform_wx_full.zip, extract, go to the bin folder and run fullgame.bat +set basedir "Quake 2"

Doom

Download mochadoom.jar, get the IWADS and run java -jar mochadoom.jar -iwad file.wad replacing file.wad with your IWAD file

Build engine games (Blood, Duke Nukem, etc)

Download BuildGDX, then get your hands on the game files (usually from the internet archive), and play it.

Blood: https://www.mediafire.com/file/o19ch8bxtxj6i59/Blood_DOS_Files_EN.zip/file

Duke Nukem 3d: https://archive.org/download/DUKE3D_DOS/DUKE3D.zip

Footnotes

1. Tf is this about?? None of them have ti50 afaik, at least none of the highschool ones ↩