A new exploit has been devised to “unenroll” corporate or school-managed Chromebooks from administrative control.
Enrolling ChromeOS devices allows you to enforce device policies set by your organization through the Google Admin console, including which features are available to users.
“Each enrolled device complies with the policies you set until it is wiped or deprovisioned,” Google said in its documentation.
That’s the exploit – a place called Shady Hacking 1nstrument Makes Machine Enrollment Retreat aka SH1MMER – Allow users to bypass these administrative restrictions.
This method is also a reference to shim, a return material authorization (RMA) disk image used by service center technicians to reinstall the operating system and run diagnostics and repair programs.
A Google-signed shim image is a “combination of existing Chrome OS factory bundled components” that can be flashed to a USB drive: release image, toolkit, firmware, etc.
You can then use the drive image to boot your Chromebook into developer mode and invoke recovery options. The shim images are either common or specific to Chromebook boards.
SH1MMER creates Chromebook recovery media using a modified RMA shim image and writes it to a USB stick. To do so, the online builder has to download a patched version of the RMA shim containing the exploit.
The next step is to boot the Chromebook into recovery mode and connect the USB stick containing the image to the device to display the modified recovery menu and allow the user to fully unenroll the machine.
According to the Mercury Workshop team, which devised the exploit, “It now behaves completely like a personal computer, with no spyware or blocker extensions.”
“The RMA shim is a factory tool that can sign certain authentication functions, but only the KERNEL partition is checked for signatures by the firmware,” the team further elaborated. “You are free to edit other partitions as long as you remove the force read-only bit.”
Additionally, the SH1MMER menu can be used to re-enroll the device, enable USB boot, open a bash shell, and even grant root level access to the ChromeOS operating system.
Hacker News has reached out to Google for comment and will update the article when we hear back.
