Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S-PScripts/chromebook-utilities/llms.txt

Use this file to discover all available pages before exploring further.

Recovering a saved Wi-Fi password from a managed Chromebook is useful in a range of situations: you may want to share a school hotspot password with another device, reconnect after a powerwash with CAUB, or bring a personal device onto the same network. ChromeOS stores Wi-Fi credentials in an obfuscated form (ROT47 encoding) inside the shill profile, and several tools have been built to extract and decode that data. The methods below range from a direct Crosh shell command to browser-based tools that read policy and sync internals without requiring developer mode.
Extracting and sharing Wi-Fi credentials may violate your school’s Acceptable Use Policy. The methods that require developer mode or a shim will only work on devices where that access is available.

Password Extraction Methods

Use the ChromeOS developer shell (Crosh) to read the shill profile directly and decode the stored passphrase. Requires developer mode or root escalation.
1

Enter developer mode and open Crosh

Enter developer mode on your Chromebook, then open Crosh with Ctrl+Alt+T.
2

Open a shell and escalate

Run the following commands:
shell
sudo su
cd home/root
3

List the root directories

Run ls and copy the middle code string (a long hash-like directory name).
4

Enter the hashed directory

cd [code string here]
5

List files again

Run ls again.
6

Read the shill profile

more shill/shill.profile
7

Find your network's passphrase

Scroll through the output until you find the SSID (network name). Below it, locate the passphrase code after the colon. Copy it.
8

Decode the passphrase

Run the decode command, replacing [passphrase] with the copied value:
echo [passphrase] | tr '!-~' 'P-~!-O'
The output is the plaintext Wi-Fi password.
Credits: JackWagon885 / The Wagonization
NPPE uses Chrome’s network logging feature to capture Wi-Fi credentials as they pass through policy reload. No developer mode required. Use this before powerwashing to save your school Wi-Fi password.
1

Start network logging

Go to chrome://net-export. In the options, set the capture level to Include raw bytes. Click Start logging to Disk and save the file somewhere accessible.
2

Reload policies

Open chrome://policy in a new tab and click Reload policies.
3

Stop logging

Return to the chrome://net-export tab and click Stop logging.
4

Upload to the NPPE tool

Go to https://luphoria.com/netlog-policy-password-tool (or an alternate link below). Click Choose File and select the log file saved in Step 1.
5

Read the password

The Credentials column in the results table contains the Wi-Fi password.
Alternate tool links:Credits: Luphoria, Bypassi
SIPE reads Wi-Fi credentials from Chrome’s sync internals, which stores network passphrases in a searchable format. Does not require developer mode. Works best after using CAUB, but may work without it.
1

Go to the SIPE tool

Open https://sipe.pages.dev/ in a tab.
2

Enter the Wi-Fi name (optional)

Type the name of the Wi-Fi network you want to find in the input box. You can leave it blank, but you will need to guess the network’s internal key in a later step.
3

Click the magic button

Click the magic button. SIPE will tell you which entry to click in Step 6.
4

Open sync internals

Navigate to chrome://sync-internals/ in a new tab.
5

Search for Wi-Fi entries

Click the Search tab, type wifi_ in the text box, and click Search.
6

Click the matching entry

Click the Wi-Fi entry name that SIPE identified in Step 3. Note: the displayed name may be longer than what SIPE shows.
7

Copy the data

Copy all of the entry data shown.
8

Paste into SIPE

Return to the SIPE tab, paste the data into the text box, and click the magic button again.
9

Read the result

SIPE will display the Wi-Fi name and plaintext password.
Alternate link: https://minies.pages.dev/sipe/ — Bypassi’s versionCredits: SimonTheCat#0651, Bypassi
An experimental, advanced method for devices with auto-enrollment on kernel version 2. Uses CryptoSmite backups to access an encrypted stateful partition and read the shill profile from it. Not tested — requires significant ChromeOS hacking knowledge.Requirements:
  • Device has auto-enrollment enabled
  • Device is on kernel version 2 (KV2)
  • An external USB stick and a flashing method
  • Familiarity with ChromeOS lower-level tooling
1

Downgrade ChromeOS

Downgrade to the lowest available ChromeOS version.
2

Install a shim

Install a shim (SH1MMER or shimboot) on your USB drive and boot from it.
3

Download CryptoSmite

At a shell prompt, run:
curl -LO https://raw.githubusercontent.com/FWSmasher/CryptoSmite/main/cryptosmite.sh
curl -LO https://github.com/FWSmasher/CryptoSmite/raw/main/cryptsetup_x86_64
4

Edit the script

In your editor of choice, remove line 123 from cryptosmite.sh.
5

Run the script

Run the script as normal, restart the machine, and powerwash. Do not do anything at the enrollment screen; allow enrollment to complete.
6

Return to the shim and mount the stateful partition

Boot back into the shim, then run:
mkdir /mnt/{encstateful,stateful_part}
base64 -d 24Ep0qun5ICJWbKYmhcwtN5tkMrqPDhDN5EonLetftgqrjbiUD3AqnRoRVKw+m7l > stateful_key
mount /dev/mmcblk0p1 /mnt/stateful_part
${CRYPTSETUP_PATH} open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --key-file stateful_key /mnt/stateful_part/encrypted.block encstateful
mount /dev/mapper/encstateful /mnt/encstateful
7

Read the shill profile

more /home/root/*/shill/shill.profile
Find the Password=rot47 line and copy the text below it.
8

Decode the password

echo ${TEXT} | tr '!-~' 'P-~!-O'
Credits: symlink, Titanium Network

Wi-Fi Connection Exploits

If your school blocks non-school devices from connecting to their Wi-Fi, you can use Linux on your Chromebook (unenrolled or in developer mode) to create a wireless hotspot and share the connection.Requirements: Knowledge of Linux command line.
1

Install Linux

Unenroll your Chromebook and install a Linux distribution, or enable Linux developer environment if available. Alternatively, boot a live Linux installer from USB.
2

Install linux-wifi-hotspot

Follow the installation instructions at https://github.com/lakinduakash/linux-wifi-hotspot#installation.
3

Configure and start the hotspot

Open the application. It is recommended to change the SSID and set a password. Do not create an open network. If you enable the hidden network option in the Advanced dropdown, make sure to assign a channel.
4

Connect your devices

Connect to the hotspot from your other devices.
If devices cannot get an IP address (allocation problem):
sudo firewall-cmd --permanent --zone=public --add-port=67/udp
sudo firewall-cmd --reload
Credits: Titanium Network
This is a write-up on how to enable Wi-Fi inside a standard ChromeOS RMA Shim by including the appropriate Linux firmware files.How it works: The Intel Wi-Fi firmware (iwlwifi .ucode files) is copied from the upstream linux-firmware repository into the shim’s /lib/firmware/ directory. The shim’s startup script then loads the wireless driver and configures a DNS nameserver.Building (add Wi-Fi firmware to the shim):
git clone --depth=1 https://chromium.googlesource.com/chromiumos/third_party/linux-firmware
rm -rf $(find ./linux-firmware/* -not -name "iwlwifi*.ucode")
cp -r ./linux-firmware/* $wherever_your_shim_is/lib/firmware/
Activating Wi-Fi in the shim’s startup script:Add the following to whatever file runs during the shim’s boot sequence:
rm -f /etc/resolv.conf
echo "nameserver 8.8.8.8" > /etc/resolv.conf
mkdir -p /run/dbus
dbus-daemon --system > /dev/null 2>&1
mkdir -p /var/lib
modprobe -r iwlwifi
modprobe iwlwifi
Credits: Soap Phia, Titanium Network

Build docs developers (and LLMs) love

Get started for freeTalk to us