Unenrolling via sh1mmer as well as downgrading are impossible in versions after chromeOS 111

[ItsTact]

i don't want to spend 20 more hours trying to get chrome 112 to downgrade with various bash commands that don't work if someone else has found a solution

[mylesbartlett72]

you dont need bash commands to downgrade, you just need a recovery usb. You need shell commands to block fw upgrade. IMPORTANT: DO NOT RUN THE SH1MMER BUILD TOOL ON THE RECOVERY USB, FLASH IT DIRECTLY

You can use fakemurk to block updates automatically, and make your chromebook appear enrolled still.

If you want to sign in with a home account instead (i.e. you don't want to use fakemurk): After downgrading, you can use sh1mmer mostly as normal. Some stuff doesnt work (since 112 patched the security chip firmware, and you cant downgrade that), but you can still unenroll. Once unenrolled, get developer mode with the standard procedure (the one for chromebooks that are not enterprise-enrolled, you cannot do it from sh1mmer with the security chip fw update). Once you get back to Chrome OS, do not connect to a network, but switch to virtual terminal 2. Disable rootfs verification, then reboot. Get back to vt2. Replace the unit file for the update service with a dummy one that does nothing. Reboot again, switch to vt2 again, and verify the change to the unit file persisted. If it did, you can now connect to a network and set up Chrome OS.

This is basically what I did, except I used sh1mmer before the patch, so I cannot verify whether you can e.g. get vt2 on the sign in screen. I can confirm replacing the update service unit file with a dummy one (e.g. prepend a hashtag to every line to make it all comments) does indeed prevent updates from occurring, at least on 110.

[ItsTact]

i already succeeded in using sh1mmer on 108, but me being dumb updated to 112 to use linux, and then i couldn't downgrade to do anything, as all of the sh1mmer build utilities lead to a line 73 error.

are you sure what you're saying applies here?

[mylesbartlett72]

i already succeeded in using sh1mmer on 108, but me being dumb updated to 112 to use linux, and then i couldn't downgrade to do anything, as all of the sh1mmer build utilities lead to a line 73 error.

are you sure what you're saying applies here?

huh let me look at that to see if there is anything obvious

Are you using the web builder or the local one?

[mylesbartlett72]

Line 73 of wax.sh looks like this: echo "Injecting payload" are you using wax_macos.sh by any chance?

(on wax_macos.sh it is a copy operation, which could potentially fail)

[ItsTact]

no i used the web builder but i am 100% it was working before i updated to 112 downgrading leads me to google's "this is not a valid thing"

[ItsTact]

Message is: line 73: read: THERE WAS AN ERROR! The utility likely did not work. Press return to continue.

[mylesbartlett72]

no i used the web builder but i am 100% it was working before i updated to 112 downgrading leads me to google's "this is not a valid thing" it might have been line 71 or something but it's where it says the utility didn't work, let me find a ss

huh, not sure how the web builder works (i built locally)

[mylesbartlett72]

Message is: line 73: read: THERE WAS AN ERROR! The utility likely did not work. Press return to continue.

What happens if you, well, press return to continue?

[mylesbartlett72]

wait

I think I recognise that error

[ItsTact]

returns to the menu and then upon restart the device is enrolled again and i can't log in to anything but a school account

[ItsTact]

i am pretty sure this is patched i just want Mr. Cool Electronics here to post part 4 on their blog to see if they have a solution to this instead of me trying and failing to inject code

[mylesbartlett72]

returns to the menu and then upon restart the device is enrolled again and i can't log in to anything but a school account

which option did you select in the menu?

[ItsTact]

GBB, unenroll, and unblock dev mode had the problems i think i can try again but that takes another couple minutes

[mylesbartlett72]

GBB, unenroll, and unblock dev mode had the problems i think i can try again but that takes another couple minutes

unblock dev mode is known to be broken at the moment

I think you just need GBB and unenroll to work to be able to unenroll (there is a race condition you can abuse from there to get dev mode)

[ItsTact]

what's the "race condition"

[mylesbartlett72]

what's the "race condition"

its not really relevant here, its basically how you can get dev mode even with the patch to the security chip (basically there is a brief window in which you can take ownership of it)

[mylesbartlett72]

GBB, unenroll, and unblock dev mode had the problems i think i can try again but that takes another couple minutes

OK, I have little to no clue why they are going wrong (apart from the fact the unenroll option runs the enable dev mode option as well, which is probably why you get an error with it)

I am going to find out where the gbb flag setting script is, to see if I can figure out what is wrong with it

(by the way, posting error messages verbatim really helps with figuring out what the heck happened)

(also, have you built a new shim and tested that since you first unenrolled? there might have been an update that works around this)

[ItsTact]

i have not done that, i will check later today. also i only have that one error message i got above thanks for the help, i'll get back to this

[mylesbartlett72]

oh huh the gbb flag setting script looks like it is part of the stock shims

it looks like the gbb flags utility in sh1mmer just tries to clear all of them

[mylesbartlett72]

Also, have you rolled back your chromeOS version?

chromeOS always checks enrollment starting from version 111 (before, it would only check if the relevant vpd flag was set)

[ItsTact]

i thought i mentioned i'm on version 112

[mylesbartlett72]

i thought i mentioned i'm on version 112

ah yeah that would be it my bad

[mylesbartlett72]

i thought i mentioned i'm on version 112

ah yeah that would be it my bad

you did mention it, I should have made it more clear you need to downgrade

[mylesbartlett72]

https://chrome100.dev/ should have a recovery image for your board

[ItsTact]

the thing is, i can't, so i guess that's it

[mylesbartlett72]

the thing is, i can't, so i guess that's it

what board do you have?

[ItsTact]

octopus at version 112 when i try to downgrade to 110 it throws "You are using an outdated ChromeOS image"

[mylesbartlett72]

octopus at version 112 when i try to downgrade to 110 it throws "You are using an outdated ChromeOS image"

dangit

[ItsTact]

precisely why i am asking when a part 4 is coming

[mylesbartlett72]

ah yeah

there might be a way to do it, but its a long shot

[ItsTact]

go on

[mylesbartlett72]

So, basically, one of the GBB flags is GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK

You could potentially set it from within sh1mmer

[mylesbartlett72]

I think there is an option to get a shell directly in sh1mmer

[ItsTact]

yes there is i will try that

[mylesbartlett72]

I think you would have to run /usr/share/vboot/bin/set_gbb_flags.sh 0x00000020

[mylesbartlett72]

I think you would have to run /usr/share/vboot/bin/set_gbb_flags.sh 0x00000020

after running it, see if you can downgrade

if not, then I don't know how to proceed (other than pulling out the motherboard and editing the data on the SPI flash with an external programmer, which I do not really know how to do)

[ItsTact]

i misremembered, gbb is enabled but unroll and unblock dev is not, i tried downgrading in dev mode and it worked, with a message saying that it could downgrade cause it was in dev mode, but it then sent me to the ChromeOS is missing or damaged screen, and it would not load chrome 110 no matter what buttons i pressed

[mylesbartlett72]

i misremembered, gbb is enabled but unroll and unblock dev is not, i tried downgrading in dev mode and it worked, with a message saying that it could downgrade cause it was in dev mode, but it then sent me to the ChromeOS is missing or damaged screen, and it would not load chrome 110 no matter what buttons i pressed

(hopefully this doesn't get posted repeatedly or something)

what happens if you hit CTRL+D or wait 30 seconds without doing anything?

[ItsTact]

ctrl+d doesn't work and waiting doesn't do anything either

[ItsTact]

pressing tab brings up recovery_reason: 0x5b / 0x5b No bootable kernel found on disk i think then it's probably my downgraded usb's problem, but i'll have to wait until i get home to fix that

[mylesbartlett72]

i thought as much, it seems like it isnt finding chromeos

[mylesbartlett72]

it might be something to do with firmware management parameters - have you booted sh1mmer after downgrading?

either that, or its a corrupt/badly flashed recovery image

[ItsTact]

i sh1mmered it and then made it downgrade i just stuck my sh1mmer usb in and it says the device you inserted does not contain chrome os i've tried recovering twice to no avail playing around with it more at the moment

[ItsTact]

ok i'm pretty sure it's the recovery image, because sh1mmer still works really hoping my chromebook is not bricked

[ItsTact]

ok after a bit more playing around, here's the official "case status" for what happens on chromebooks loaded with version 112.0.5615.134, i'm on octopus specifically

1. Sh1mmer does work and flash, but trying to unenroll or unblock dev mode leads to line 73: read: THERE WAS AN ERROR! The utility likely did not work. Press return to continue. Everything else works.
2. When trying to downgrade by flashing a recovery image from Chromium Dash or chrome100.dev, it will first verify if it is valid, and if not in developer mode, it will refuse to work
3. If flashing the recovery image in developer mode, it will succeed in verifying it but will warn the user that the only reason they can do this is because developer mode is on. After this happens, the chromebook will prompt the recovery usb to be taken out, and upon restarting, will throw "ChromeOS is missing or damaged". Pressing Ctrl+D or the Esc+Refresh+Power salute will not stop this from happening, the error displayed by pressing tab is "recovery_reason: 0x5b / 0x5b No bootable kernel found on disk". the only way to unbrick the chromebook is to load the image file through the chromebook brand dropdown in the chromebook recovery extension (example: my chromebook is ASUS C204), and only then will it boot up correctly. Still nothing will work because the version pulled is still 112.

[zeglol1234]

im not reading all this lol if yall wanna have a conversation can you take it elsewhere, you're taking up space inside an issue try going into the tn discord someone close this lol

[TheMemeSniper]

idc if y'all continue as long as you wrap it up eventually

[mylesbartlett72]

ok after a bit more playing around, here's the official "cast status" for what happens on chromebooks loaded with version 112.0.5615.134, i'm on octopus specifically

1. Sh1mmer does work and flash, but trying to unenroll or unblock dev mode leads to `line 73: read: THERE WAS AN ERROR! The utility likely did not work. Press return to continue.` Everything else works.

2. When trying to downgrade by flashing a recovery image from Chromium Dash or [chrome100.dev](url), it will first verify if it is valid, and if not in developer mode, it will refuse to work

3. If flashing the recovery image in developer mode, it will succeed in verifying it but will warn the user that the only reason they can do this is because developer mode is on. After this happens, the chromebook will prompt the recovery usb to be taken out, and upon restarting, will throw "ChromeOS is missing or damaged". Pressing Ctrl+D or the Esc+Refresh+Power salute will not stop this from happening, the error displayed by pressing tab is "recovery_reason: 0x5b / 0x5b No bootable kernel found on disk". the only way to unbrick the chromebook is to load the image file through the chromebook brand dropdown in the chromebook recovery extension (example: my chromebook is ASUS C204), and only then will it boot up correctly. Still nothing will work because the version pulled is still 112.

I think you can load older images manually through the chromebook recovery extension, but im not sure

it seems your older image is bad (which is why you cannot flash it outside of dev mode, and it leaves you without a valid kernel) - this could either be due to it getting corrupted while downloading, it being corrupted on the website (maybe try a different one that is 110 or below?) or it getting corrupted during flashing.

Also, there are two variants of the board ID: one is used by the RMA shim (can't remember the exact name of it) and the other is the customisation ID, which should display somewhere in the recovery. I think you want the customisation ID for selecting a recovery image, and sometimes they are different (e.g. volteer board/collis customisation ID)

[velzie]

Soon:tm:

downgrading, as well as all forms are unenrollment are patched by google in 112. there will be a workaround when part 4 drops which will be in like a week or 2 idk

I'm leaving this open for now as a representation of the current state of the project

[ItsTact]

btw i did manage to downgrade to 108 LTS (108.0.5359.230) last night but as the blog says, it was patched in April; 108 LTC 108.0.5359.221) will still refuse to boot on mine