Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S-PScripts/chromebook-utilities/llms.txt

Use this file to discover all available pages before exploring further.

Unenrollment removes your Chromebook from enterprise or school management (Google Admin Console), freeing the device from policy restrictions, blocked extensions, supervised browsing, and kiosk mode. Once unenrolled, the device behaves as a personal Chromebook. The community maintains a comprehensive guide at chromebook-guide.github.io covering the most actively developed methods. This page documents every known method from the utilities collection, organized by version compatibility and mechanism.
Unenrolling a managed Chromebook likely violates your school or organization’s Acceptable Use Policy. Most methods cause data loss. Some exploits are hardware-specific — applying the wrong method to an incompatible board can brick the device. Proceed at your own risk and understand each step before executing it.

Method Compatibility Overview

MethodChromeOS VersionKernel VersionNotes
Crosh Method≤ v100AnyPatched since v101
Sh1mmer≤ v110 (standard), v111–v113 (limited)KV ≤ 3Shims required; Google took down downloads
E-Halcyon≤ v129 (approx)KV ≤ 3Semi-tethered; USB required each boot
CryptoSmite≤ v119KV ≤ 2Via Sh1mmer payload
BadRecovery≤ v124 (most modes)KV ≤ 3EOL-before-2024 devices also supported
GoodSilver≤ v142AnyBadRecovery port of Quicksilver
Quicksilverv125–v142KV4–KV6Requires Sh1mmer or Sh1ttyExec
Dunroll≤ v130AnyCrosh rollback; WiFi disconnect required
BR1CK≤ v131CR50 onlyTPM race condition; luck/timing dependent
CRSH2TTYAny (patched)AnyNo longer works
BadApple≤ v131KV ≤ 3, disk v3Keyrolled devices (e.g. nissa)
IcarusAny (self-hosted)AnyRequires self-hosted proxy + custom CA
HWIDAny (≤ v129 patched)WP off requiredHardware WP must be disabled
Pencil MethodAnyWP off requiredPhysical hardware modification
De-EnterpriseAnyAnyRequires replacing storage chip
FORGEKV7+ keyrolled CR50KV7+CH341A programmer required

Methods

This is a very old exploit that only works on ChromeOS versions before v101. Check your version at chrome://version.
1

Open Crosh

Open Crosh with Ctrl + Alt + T or navigate to chrome-untrusted://crosh.
2

Run the unenrollment command

Paste and run the following command:
set_cellular_ppp \';dbus-send${IFS}--system${IFS}--print-reply${IFS}--dest=org.chromium.SessionManager${IFS}/org/chromium/SessionManager${IFS}org.chromium.SessionManagerInterface.ClearForcedReEnrollmentVpd;exit;\'
3

Powerwash

Powerwash the device. It will be unenrolled after setup.
After unenrolling, enable MAC Address Randomization in chrome://flags to avoid being identified on the network.
To re-enroll, open a bash shell and run:
sudo -i
vpd -i RW_VPD -s check_enrollment=1
echo "fast safe" > /mnt/stateful_partition/factory_install_reset
reboot
Credits: velzie/coolelectronics
Sh1mmer (Shady Hacking 1nstrument Makes Machine Enrollment Retreat) was discovered by Mercury Workshop and released on January 13, 2023. It is capable of completely unenrolling enterprise-managed Chromebooks by booting a modified RMA shim.
Google has taken down official shim downloads. Use cros.download to obtain a shim for your board. If you are on v111–v113, a separate variant applies.
Boards with publicly leaked RMA shims: brask, brya, clapper, coral, corsola, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zorkWriting the shim to USB:
1

Find your board name

Go to chrome://version on your Chromebook and copy the word after stable-channel in the Platform field.
2

Download and build a Sh1mmer image

Download a shim from dl.sh1mmer.me and build it with the Sh1mmer web builder. You need a modified shim, not a raw shim.
3

Flash to USB

Install the Chromebook Recovery Utility extension on your personal computer. Open it, click the gear icon, select “Use local image”, choose your shim file, select your USB, and start writing. This takes approximately 10 minutes.
Executing on the Chromebook:
1

Enter Recovery Mode

Press Power (⏻) + Reload (↻) + Escape simultaneously.
2

Trigger developer mode flag

Press Ctrl + D on the recovery screen, then press Enter.
3

Re-enter recovery mode

Press Power (⏻) + Reload (↻) + Escape again. This step is critical and cannot be skipped.
4

Boot the shim

Plug in your shimmed USB, then press Power (⏻) + Reload (↻) + Escape once more. After a brief loading screen you will be in the Sh1mmer menu.
5

Unenroll

Navigate the Sh1mmer UI to unenroll the device, then exit and reboot.
After unenrolling, it is recommended to add your personal account first, then add your school account. To re-enroll temporarily for kiosk exams, see instructions at sh1mmer.me/kiosks.txt.Credits: Mercury Workshop
BadRecovery (formerly OlyBmmer) leverages a vulnerability in ChromeOS recovery images to get arbitrary code execution. It unenrolls all devices that went EOL before 2024, and can unenroll supported devices on kernel version 3 or lower. Released October 5th, 2024.Modes of operation:
ModeRequirementsDescription
postinstv86–v124, disk layout v1 or v2ROOT-A overflows into ROOT-A (internal); replaces postinst
postinst_symv34–v124, kernel ≥ 4.4ROOT-A overflows into STATE; symlink exploitation
persistv26–v89Encrypted data persisted via CryptoSmite
basicv26–v119Standard CryptoSmite unenrollment payload
unverified≤ v41 / ≤ v47 (WP off) / any (dev mode not blocked)Requires developer mode; for very old devices
Compatibility check (in order):
  1. Was your device EOL before 2024? → YES — you’re compatible
  2. Are you on ChromeOS v124 or lower? → YES
  3. Was your device released after mid-2024? → NO
  4. Does your kernver (shown on recovery screen after pressing Tab) end in 03 or lower? → YES
R125+ recovery images are patched (except unverified mode).Building an image:
git clone https://github.com/BinBashBanana/badrecovery
cd badrecovery
sudo ./build_badrecovery.sh -i <image.bin>
Use --type (or -t) to specify a mode (e.g., -t postinst). The script auto-selects the best mode if unspecified.Running on device:
1

Enter Recovery Mode

Press Esc + Reload + Power. If using the unverified payload, press Ctrl + D to enter developer mode, then re-enter recovery.
2

Plug in the BadRecovery drive

On the “Connect a recovery device” screen, plug in your prepared USB.
3

Follow the payload

On postinst/postinst_sym, BadRecovery runs partway through recovery. On persist/basic, reboot into verified mode first; on basic, proceed through setup to the Add Account screen, then Powerwash.
On Cr50 devices (most 2018 or later), you must not be in developer mode for unenrollment to work — ensure you are in verified mode recovery.
Credits: OlyB/BinBashBanana, Writable (CryptoSmite), Rory McNamara
Quicksilver unenrolls Chromebooks running ChromeOS v125–v142 with kernel versions 4 through 6.If your device can boot Sh1mmer (unkeyrolled):
1

Boot Sh1mmer

Boot Sh1mmer (use a version from at least December 15th, 2025).
2

Run Quicksilver payload

Open the payloads menu and run the Quicksilver payload.
3

Complete setup

Go through OOBE setup. You should be unenrolled.
If using a Sh1mmer version from before December 15th, 2025, run the following in the bash shell: vpd -i RW_VPD -s re_enrollment_key="$(openssl rand -hex 32)" (ignore the “unable to write ‘random state’” message).
If your device cannot boot Sh1mmer (keyrolled):
1

Run Sh1ttyExec

Execute Sh1ttyExec for versions below v143.
2

Enable Developer Mode then re-enter Recovery

Enable developer mode, then enter recovery mode again.
3

Boot GoodSilver and deprovision

Boot a GoodSilver image from unenrollment.com/GoodSilver and choose “Deprovision”. After reboot you will be unenrolled.
This unenrollment is persistent on unpatched versions (≤ v142). To re-enroll (if you want to), run vpd -i RW_VPD -d "re_enrollment_key" in any shell.Credits: Emery/emerwyi (discovery), Awen/qorsola, kxtz, crosbreaker, lxrd/SPIRAME
GoodSilver is a port of Quicksilver to the BadRecovery exploit, enabling devices that cannot boot Sh1mmer shims (keyrolled devices) to unenroll using the Quicksilver method.Requirements: USB or SD card (8 GB+), a ChromeOS device below r143.Building an image:
git clone https://github.com/AerialiteLabs/GoodSilver && cd GoodSilver
sudo ./build_goodsilver.sh -i <image.bin>
Use an official r124 recovery image for your device as the base (download from cros.download).Running on device (using Sh1ttyExec):
1

Powerwash

Press Ctrl + Alt + Shift + R to Powerwash.
2

Trigger crash to OOBE

Start enrolling, then open the Powerwash menu (Ctrl + Alt + Shift + R) and wait until it crashes back to the “Get Started” screen.
3

Intercept enrollment and enter recovery

Try enrolling again. The moment your Chromebook shows “Enterprise Enrollment”, press Esc + Reload + Power to enter recovery mode.
4

Enable Developer Mode then re-enter Recovery

Press Ctrl + D to enable developer mode, then press Esc + Reload + Power again.
5

Boot GoodSilver

Plug in the prepared USB. GoodSilver starts in a few seconds. Go through setup — you should be unenrolled.
Credits: Emery/emerwyi (Quicksilver), Sophia/soap-phia (BadRecovery port), OlyB/BinBashBanana, vk6/ading2210, lxrd/SPIRAME
BR1CK was released October 27th, 2024. It exploits an oversight in FWMP (Firmware Management Parameters) creation in the TPM. By EC-resetting at precisely the right moment during enrollment, it corrupts the FWMP TPM space, making the FWMP unreadable and allowing Sh1mmer to unenroll the device.Requirements:
  • A CR50-based board (not TI50) — incompatible boards: brya, brask, cherry, guybrush, skyrim, rex, nissa, corsola, staryu, geralt
  • A leaked shim, USB drive, and another PC to flash it
  • Preferably access to chrome://network#logs for timing precision
Finding your board name: Go to chrome://version, press Ctrl + F, and search for stable-channel. The word after it is your board name.Finding the reset timing (recommended — with chrome://network#logs):
1

Powerwash and capture logs

Powerwash your device, go to chrome://network#logs, check all options, and upload the combined-logs.tar.gz to the BR1CK website to get your precise timing.
2

Powerwash again and time enrollment

Powerwash, proceed through setup, start a stopwatch when “Enterprise enrollment” appears, and EC-reset (Reload ↻ + Power ⏻) at the timing the website provided.
3

Verify the brick

If you see an error screen (press Tab to confirm the recovery reason mentions a TPM error), proceed. Otherwise, retry — most people succeed within 2–20 attempts.
After bricking — unbricking and unenrolling:
1

Enable Developer Mode and enter Recovery

Press Ctrl + D, then Enter, then Esc + Reload ↻ + Power ⏻.
2

Boot the shim and deprovision

Plug in your shim USB. When Sh1mmer boots, press D for “Deprovision”.
3

Open bash and unbrick via gsctool

Press B for bash shell, then run:
gsctool -a -o
Press the power button whenever it says “Press PP button now!” and wait when it says “Another press will be required”.
4

Re-enter Developer Mode and set up

After rebooting, press Esc + ↻ + ⏻, then Ctrl + D, then Enter. Boot into ChromeOS and begin setup through OOBE.
5

Set enrollment flag and Powerwash

Enter VT2 (Ctrl + Alt + →) and run:
vpd -i RW_VPD -s check_enrollment=0
Powerwash. After setup you will be unenrolled.
Credits: Byte, OlyB, silk, Kilo, doxr, peap, appleflyer, Windows XP, TNTCrazyError
Dunroll unenrolls Chromebooks on ChromeOS v130 and lower by performing a rollback via Crosh while disconnected from WiFi during the enrollment phase.
1

Powerwash the device

Press Ctrl + Alt + Shift + R on the login screen, or enable and disable developer mode if the shortcut is blocked.
2

Disconnect WiFi at the critical screen

When you reach the update setup screen or the “Please wait / Determining device configuration” screen with the Google logo, disconnect from WiFi and stay disconnected for the rest of the process.
3

Roll back in Crosh

Open Crosh in guest mode and perform a rollback.
4

Complete

You are now unenrolled.
Credits: coder0-code — github.com/coder0-code/dunroll
CryptoSmite was found by FWSmasher and released March 9th, 2024. It uses stateful backups to alter the encrypted stateful partition contents and make the device appear unenrolled. It has been patched since ChromeOS v120, and requires a kernver ending in 0, 1, or 2.Checking your kernver:
1

Enter Recovery Mode

Hold Esc + Refresh + Power for 2–3 seconds.
2

Check kernver

Press Tab and look at the last digit of the kernver= line.
  • Ends in 0 or 1: you can downgrade to any version
  • Ends in 2: you can downgrade to v112–v119
  • Ends in 3: CryptoSmite is not available
Using CryptoSmite:
1

Download and boot Sh1mmer

Download a Sh1mmer Prebuilt image from dl.darkn.bio/SH1mmer/Prebuilt and boot the shim.
2

Navigate to CryptoSmite

Go to Payloads, select CryptoSmite using the arrow keys, and press Enter.
3

Confirm and reboot

Type Y and press Enter. The device reboots automatically.
4

Proceed through setup and Powerwash

Go through setup until the “Add Account” screen. If an update prompt appears, reboot and press Ctrl + Alt + E on the Wi-Fi screen to skip it. At the “Add Account” screen, Powerwash the Chromebook. It will be fully unenrolled.
BadApple provides code execution in developer-mode recovery on keyrolled devices (e.g., nissa). It has the same capabilities as Sh1mmer but with the TPM disabled. Patched around KV4.Requirements: Disk layout v3 (boards made after 2021); keyrolled board (e.g., nissa).
1

Enter Developer Mode

Press Esc + Refresh + Power then Ctrl + D.
2

Re-enter Recovery from the block screen

When you reach the developer mode block screen, press Esc + Refresh + Power again.
3

Select Internet Recovery

Choose Internet Recovery from the advanced options.
4

Open VT3 shell

When miniOS loads, press Ctrl + Alt + F3 to open the VT3 shell. If the screen is blank, try Internet Recovery (old) instead.
5

Run exploits from the shell

You now have a shell. You can run CryptoSmite, Icarus, or DAUB from here.
Why this works: When developer mode is enabled, cros_debug is set to 1 in crossystem. Google forgot that the recovery initramfs should always be trusted regardless. miniOS opens a VT3 shell when cros_debug == 1, giving shell access while enrolled.Credits: appleflyer, Titanium Network
CRSH2TTY was a USB-less universal unenrollment exploit that worked on any version/kernver. It has been confirmed to no longer work.How it worked: By powerwashing, proceeding through enrollment, restarting at specific times during enrollment, then leaving the device off for at least 15 hours, roughly 20% of attempts would result in an unenrolled state.This exploit is documented here for historical reference only.Credits: Kelpsea Stem, Scaratek (Hazel), Whelement, Titanium Network
E-Halcyon (via RecoMod) provides a semi-tethered unenrolled ChromeOS environment. After setup, the device boots into a downgraded and unenrolled ChromeOS, but requires the USB to be present each boot to jumpstart the process. History/cookies do not persist across reboots due to cryptohome restrictions.Prerequisites: Already unenrolled via Sh1mmer; a Linux PC or VM (WSL not guaranteed); a v107 recovery image for your board from cros.download.
1

Modify a v107 recovery image with RecoMod

git clone https://github.com/MercuryWorkshop/RecoMod
cd RecoMod
chmod +x recomod.sh
sudo ./recomod.sh -i /path/to/recovery/image.bin --halcyon --rw_legacy
2

Flash and boot the USB

Flash the modified image to USB. Enable developer mode and reach the dev mode block screen, then plug in the USB. Spam the E key — a 5-minute wait begins. Spam E again near the end of those 5 minutes. (Only needed once; subsequent boots skip this wait.)
3

Activate Halcyon

In the boot menu, navigate to “activate halcyon environment” and press Enter. Then select “Install halcyon semi-tethered” and wait. After completion, go back and select “Boot halcyon semi-tethered” to boot into the unenrolled environment.
Credits: CoolElectronics (RecoMod), OlyB, vk6
Icarus unenrolls devices through device management interception using a proxy and a custom Certificate Authority. It intercepts ChromeOS enrollment traffic at the network level.
NEVER use a public IP address or public server for Icarus. Anything Google can remotely perform on your device (install extensions, spy, use your camera, remote in, get your passwords) can also be done by whoever controls the Icarus proxy. Only self-host Icarus on a server you fully control.
Setup:
git clone --recursive https://github.com/MunyDev/icarus/
cd icarus
make setup-venv
make enter-venv
make setup-python
make build-packed-data
Before continuing, open Chrome on your build machine, go to chrome://components, find PKIMetadata, and click “Check for Updates”. Ensure it shows as up-to-date with a version below 2000. Then:
bash get_original_data.sh
bash make_out.sh myCA.der
Modify the shim with your generated PKIMetadata:
bash modify.sh <shim path>
Boot the shim. Then start your proxy server with make start-server. Reboot the device, open network configuration, set your proxy to Manual, set the HTTPS IP to your server IP, and resume setup. The device will unenroll.Credits: MunyDev, Archimax, r58Playz, Akane
The HWID method provides persistent and easy toggling between unenrolled and enrolled states by setting a malformed HWID, preventing the device from completing enrollment normally.Requirements: Hardware write protection must be disabled first. See Disable Hardware Write Protect.
1

Disable write protection

Disable hardware WP (see the Hardware Write Protect guide). You must be unenrolled or have FWMP off with developer mode on.
2

Set a malformed HWID

Change your HWID to a malformed one (e.g., append -DEV to your existing HWID). Use the MrChromebox payload in Sh1mmer if you need a GUI, or use manual commands. Set GBB flags for developer mode as well.
3

Recover to any image

Flash and recover to any ChromeOS recovery image.
4

Handle the factory error

The device will show a “factory error malformed HWID” screen — press Skip. There should be no “Get Started” screen at this point. Connect to WiFi and log in with your personal account.
5

Re-trigger OOBE

Sign out with Ctrl + Shift + Q + Q. You will be placed on a “Get Started” screen. Go through OOBE — after pressing Continue on WiFi, the device will attempt to enroll but fail. EC-reset (Refresh + Power). You should land on the personal account sign-in screen.
To re-enroll, Powerwash and choose enterprise enrollment at the account screen instead of your personal account. Revert your HWID before returning the device to school.Credits: Titanium Network
The Pencil Method unenrolls by physically bridging pins on the flash chip to disable hardware write protection, then running commands to remove FWMP. Created by Darkn.
This can harm your Chromebook if done incorrectly. Physical hardware modification required. Proceed entirely at your own risk.
Requirements: Conductive material (staple, tin foil, paperclip), scissors, tape (optional), Sh1mmer USB, screwdriver.
1

Dismantle and bridge pins

Remove screws from the bottom of your Chromebook and disconnect the battery. Locate the 8-pin flash chip on the motherboard (typically Winbond or GigaDevice branding, labelled 25Q64xx or 25Q128xx). Bridge pin 3 (WP) to pin 8 (VCC) using your conductive material. Optionally tape it in place, then reconnect the battery.
2

Boot Sh1mmer and run commands

Boot into Sh1mmer. Navigate to UtilitiesUn-Enroll Device (required even if it fails). Then go to Open Bash and run:
flashrom --wp-disable
/usr/share/vboot/bin/set_gbb_flags.sh 0x8090
If these commands fail, the pins are not bridged correctly.
3

Reboot and enter VT2

Press Refresh ↻ + Power ⏻ to reboot. Press Ctrl + D to bypass the OS verification screen and boot into ChromeOS. Then press Ctrl + Alt + F2 to enter VT2 and log in as root.
4

Remove firmware management parameters

tpm_manager_client take_ownership
cryptohome --action=remove_firmware_management_parameters
5

Powerwash

Press Ctrl + Alt + F1 to exit VT2, then press Ctrl + Alt + Shift + R and click Powerwash.
Credits: Darkn, AshtonDavies
De-Enterprise unenrolls by physically replacing the storage chip (which contains enrollment data) with a new identical chip. The new chip contains no enrollment information, so the device boots as unenrolled.
You must be willing to disassemble your Chromebook. Incorrect handling of internal components can cause permanent damage.
1

Open your Chromebook

Disassemble the Chromebook to access the motherboard.
2

Identify the storage chip

Check the brand and model of the drive chip (the chip responsible for storing enrollment data). Note the exact model number.
3

Purchase an identical chip

Find and purchase the exact same chip online. It must be an exact match.
4

Swap the chip

Remove the old chip and install the new one.
5

Power on

Turn on the Chromebook. It should be unenrolled. To re-enroll later, swap the old chip back in.
Credits: schoolexploitkid — github.com/schoolexploitkid/De-Enterprise-unenrollment
FORGE (Firmware Overwrite and Reflash for Google Equipment) is an intentional exploit for unenrolling KV7+ keyrolled CR50 devices using a CH341A programmer.Only do this if: Your device is on KV7 or higher and is a keyrolled CR50 device.Do not do this if: You are on a KV6 or lower (use Quicksilver or the Pencil Method instead), or the device is not yours.Requirements: CH341A programmer.
If your Chromebook gets bricked using FORGE, it is entirely your fault. Requires a CH341A programmer and comfort with hardware flashing.
Full tutorial at: github.com/justatmeasthis/FORGECredits: 0jos, Titanium Network

Avoiding Re-Enrollment After Unenrolling

After unenrolling, ChromeOS may automatically re-enroll on the next setup. The method to prevent this varies by version. See the full version-specific commands in the Developer Mode guide.

Recovery Images

Many unenrollment methods require downloading a specific version of ChromeOS for your board. Use these resources:
  • cros.download — Recovery image directory, created by Mercury Workshop
  • cros.tech — Channel versions and recovery images browser
Old ChromeOS versions may have vulnerabilities that are patched in newer releases, making these older images essential for version-specific exploits.

External Guide

The community-maintained Chromebook guide covers the full unenrollment and re-enrollment workflow:

chromebook-guide.github.io

Comprehensive guide to unenrolling with Sh1mmer and re-enrolling with Fakemurk. Maintained by the chromebook-guide community.

Build docs developers (and LLMs) love

Get started for freeTalk to us