Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S-PScripts/chromebook-utilities/llms.txt

Use this file to discover all available pages before exploring further.

Hardware write protection (WP) is a physical security mechanism in Chromebooks that prevents the firmware (stored in SPI flash) from being modified. It is enforced by the CR50/Ti50 security chip and can be backed by either a physical screw or a dedicated WP pin on the motherboard. Disabling write protection is required for flashing custom firmware via tools like MrChromebox, performing the Pencil Method unenrollment, changing GBB (Google Binary Block) flags, and using the HWID unenrollment method. There are two approaches: the CCD (Closed Case Debugging) method using a SuzyQ debug cable, and the CRSH1TTY experimental bruteforcer (now effectively non-functional).
Disabling hardware write protection is an advanced procedure. Incorrectly following these steps can brick your Chromebook by corrupting firmware. Read every step carefully before executing anything. If your device becomes bricked, see the Unbrick your Chromebook section at the bottom of this page.

Which Unenrollment Methods Require WP Disabled

The following exploits require hardware write protection to be off before they can be performed:
  • Pencil Method — requires flashrom --wp-disable and GBB flag modification
  • HWID Method — requires write access to flash HWID changes
  • Custom firmware flashing (e.g., MrChromebox full ROM) — requires WP disabled at the firmware level
  • FORGE — requires a CH341A programmer to reflash firmware directly
Methods such as Sh1mmer, BadRecovery, Quicksilver, BR1CK, CryptoSmite, and Dunroll do not require WP to be disabled.

Method 1: Disable Hardware WP via CCD (Closed Case Debugging)

This method lets you disable hardware write protection without opening your Chromebook, using a SuzyQ (SuzyQable) debug cable. It communicates with the CR50 security chip over USB.
This method requires you to already be unenrolled, or to have FWMP off with Developer Mode enabled. It will not work on a fully enrolled and FWMP-locked device without first addressing enrollment.
Requirements:
  • SuzyQ cable (SuzyQable) — schematics for building one: cdn.sparkfun.com (PDF)
  • A root shell on the Chromebook (via Crosh shell, a shim bash shell, or VT2)
1

Open a root shell

Open a root shell on your Chromebook. This can be in a shim bash shell, via Crosh (sudo -i), or in the VT2 terminal — any root shell will work.
2

Run gsctool to unlock CCD

Run the following command. Whenever it prompts you to “Press PP”, press the power button:
gsctool -a -o
At the end of this process, the device will restart and exit developer mode. Re-enable developer mode and return to a root shell before continuing.
3

Connect your SuzyQ cable

Plug the SuzyQ cable into your Chromebook. On most devices, use the right USB-C port and plug the USB-A end into any other port. Try other ports if the right port does not work.Verify the connection by running:
lsusb
You should see the CR50 listed with USB ID 18d1:5014. If not, try replugging.
4

Verify TTY devices are open

Run the following to confirm the TTY devices are available:
ls /dev/ttyUSB*
You should see ttyUSB0, ttyUSB1, and ttyUSB2.
5

Disable write protection via CR50

Run each of the following commands one by one:
echo "wp false" > /dev/ttyUSB0
echo "wp false atboot" > /dev/ttyUSB0
echo "ccd reset factory" > /dev/ttyUSB0
6

Reboot and disable WP in flashrom

Reboot the device. After rebooting, run:
flashrom --wp-disable
7

Verify write protection is off

Confirm WP is disabled by running:
crossystem wpsw_cur
This should output 0. Write protection is now disabled.
This method is originally documented by MrChromebox: docs.mrchromebox.tech/docs/firmware/wp/disabling.html
Credits: akane, Titanium Network, MrChromebox.tech

Method 2: CRSH1TTY (Experimental — Effectively Non-Functional)

CRSH1TTY was an experimental exploit created by the Whelement team that theoretically allowed disabling WP on an enrolled device by bruteforcing RMA unlock codes via a CR50 rate-limited interface. It was designed for people who lack the ability to open their Chromebook or obtain a SuzyQ cable.
CRSH1TTY is no longer supported and will almost certainly not work. After further research, it was discovered that the CR50 is far more rate-limited than expected and simply lies about its rate limiting state. No available auth codes have been found. This section is documented for historical reference only.
The script was run from a root shell on a Chromebook with WP and WiFi enabled: 
cd /home/chronos/user/Downloads && curl -Lk https://raw.githubusercontent.com/Whelement/CRSH1TTY-public-beta/main/crsh1ttyb3.sh -o ./crsh1ttyb3.sh && bash ./crsh1ttyb3.sh
Despite its non-functional status, CRSH1TTY represents a notable community research effort into CR50 RMA unlock mechanisms. Credits: crossystem (Kelsea), TheTechFrog/TheSpiritOfDark, CoolObivion759, Windows XP, boeing 747

Unbrick your Chromebook

If a firmware modification goes wrong and your Chromebook fails to boot, the MrChromebox unbricking guide covers recovery procedures for most Chromebook models.

MrChromebox Unbricking Guide

Official unbricking documentation from MrChromebox covering recovery procedures for Chromebooks with corrupted or incorrect firmware.
If you cannot follow the unbricking instructions because they are too difficult, you should not have attempted the firmware modification in the first place. Ensure you understand every step and have a recovery plan before disabling write protection.

Build docs developers (and LLMs) love

Get started for freeTalk to us