CryptoSmite Setup
From FWSmasher
Re-enrollment steps (done before unenrollment)
Steps MUST be done before unenrolling with any method (useful for those who need to re-enroll with credentials)
Re-enrollment steps to be done after unenrolling
Steps must be done AFTER unenrolling
Riienrollment steps (Done right after
Kernel Version Part 1
To check your kernver, start going to recovery mode.
Kernver check
The kernver located in that image will show up when you press tab, should end in either 2, 1, or 0. If it doesn’t end in any of these digits, your chromebook isn’t supported. If it is supported, downgrade to 118, and proceed with the exploit. If you have already downgraded to a version before 118, stay on that version. The minimum version is V63, so don’t worry about it.
(Downgrading instructions by @cerulyan)
Items to download
RAW RMA SHIM: Check sh1mmer server
Stateful: stateful.tar.xz or smallstate.tar.xz
Cryptsetup chroot: st.tar.xz
Before starting keep all of these ready.
Clone the cryptocrafter repo
In the linux terminal (or wsl) run:
git clone https://github.com/FWSmasher/CryptoCrafter
(If you don’t want to build the cryptosmite shim, use this and after completing those steps, skip to the last slide)
Run cryptosmite_host.sh
Run this command in your linux terminal (wsl or real linux or vm) IT MUST BE IN THE CLONED DIRECTORY
./cryptosmite_host.sh <raw rma shim path> <cryptsetup chroot path> <stateful.tar.xz path>
Prepare the new RMA shim for flashing
Open the Chromebook Recovery Utility, and in the top right corner, select use local image. The image should be the modified rma shim.
Flash the RMA image
Select the USB Drive to flash
[Insert USB Drive selection screen here]
Boot the RMA Shim
Running the injected cryptosmite file
tar -xvf /mnt/shim_stateful/stateful.tar.xz -C /mnt/stateful
exit
What to do in temporary unenroll mode
You should now press the ok button at the oobe screen.
Add user screen
Once you reach the screen displayed in the previous slide
Enable devmode. If you don’t reach this screen, (if it gets stuck), make a github issue.
Instructions of enabling devmode
From here there are two possible ways to proceed. You could stick around for the five minute wait by pressing ctrl-d, or skip the devmode transition.
Skipping 5 minute devmode wait
Once you have reached the devmode is on screen, press esc+refresh+power and boot into rma shim. Select the bash shell, and run the following commands (or add it as a bash script)
mkfs.ext4 /dev/mmcblk0p1 -F
mount -o loop,rw /dev/mmcblk0p1 /tmp
touch /tmp/.developer_mode
umount /tmp && sync
Reboot
On “enrollment” branch shims, this script is already included within the new menu
Running the last two commands in VT2
After enabling devmode, you need to boot into the operating system, and run these following commands (by pressing ctrl-alt-f2, and entering `root`) (these commands will NOT run in a shim)
vpd -i RW_VPD -s check_enrollment=0
cryptohome --action=remove_firmware_management_parameters
Quickly after you boot.
If you don’t get the timing right, powerwash and try again.
Kernel Version Switcher (Unenrolled only)
The kernel version switcher by @kxtz, is an unenrolled only method to change kernel versions. Modifying kernel rollback index in the TPM allows for the usage of newer versions of Chrome OS, without the fear of not being able to downgrade to unenroll again after re-enrollment.
Links to the writeup