so the story here. a friend of mine bought a chromebook that was locked to being managed by some school. even developer mode was locked out. so it is being sent to me. I'm ging to attempt to restore it to a "factory"-like setting, and record progress here so others can maybe repeat it (for completely legit and not-theft/crime purposes)
this will probably require at least some hardware modification (hopefully just externally flashing the firmware). at the end of this i may write a short tutorial, but probably not. if i do, itll be found at this broken link
the basic idea: enterprise management seems to be impemented in a lower level than chrome os itself. dev-mode is disabled, for example. the only thing easily rewritable in the chrome os security model is the rewritable sections of firmware, so it must be a flag somewhere in there. i am assuming if we erase the firmware with an external flasher, then flash a image of the stock firmware back, it should act like a retail machine with an invalid serial. i started working on this while drunk as shit, so its actuall probablility of working is probably lower than normal. we will see how it goes
disclaimer: this is for educational use only. i am not a lawyer, but i believe there are some dumb laws about bypassing inefficent security on hardware you own to make sure you cant "steal" music and games and such. honestly, i think thats total bullshit. if you own something, someone shouldnt be breathing down your neck about what you can do with it or not. I think i should be able to play emulators on my nintendo ds. but this here actually is kinda a grey area. so tread lightly.
to be continued.....
downloaded recovery image for the device. too drunk to hunt for the bios in it. it should be there somewhere.... i'll figure this shit out when less drunk.
btw, i use a pomona soic-8 clip, a chinese clone arduino pro mini, and frser-duino for all my external flashrom flashing needs pic. it worked great for unbricking my acer c710, and reading/writing random spi chips i have in varios pieces of hardware. so hopefully itl work fine for this
also, how is my drunk typing? i typed all of :day 0" too drunk to walk, and won't edit it later so i know what my drunk-typing s like.
coming soon.... will probably be more productive than day 0, due to the slightly higher chance of being sober. wife came home early, so i spent all day with her. we watched adventure time, cooked dinner todether, played with play doh, etcetera. nothing was done, and i was sober too
but bedises wiring up my programmer and getting the firmware ready, there isnt much i can do until the chromebook actually arrives.
if all goes well, all day 1 goals will be acheived easily, and i'll be waiting for the device to actually arrive.
when the device arrives, i have to either discover via internet, or identufy which chip holds the firmware. hoping for an spi soic-8 chip so i can just use my clip i have. if not, i'll have to sober up and break out the soldering iron.
https://johnlewis.ie/extracting-the-shell-ball-rom-using-a-chromeos-image/comment-page-1/ - guide for pulling firmware from a recovery image. I'll do this tomorrow, and then everything should be good to go when it gets here.
decided not to wait. ellen was on facebook, so i got it all done. on my debian box kpartx made /dev/mapper/loop0px instead of /dev/loopx in the guide. john uses fedora i think. fedora is weird. i am too used to dpkg to care about learning rpm. but yeah, i now have a ready to flash bios ready.
i forgot there was a tpm involved here. lets hope its magic doesnt cause any trouble
opened the chromebook, found the winbond spi chip with ease. i read the firmware off without issue, but for some reason it wouldn't erase or write. fiddled with my wiring and programmer settings for a while, then i remembered that some devices require being plugged in to flash properly. doing so allowed it to flash. it then booted into developer mode, since the back was off. afterwards, its all free! I WIN!!!!
if you have the skills to do this, then you should have all the information you need. if you need more help, maybe you shouldnt attempt this. enjoy
gbb flags are funky after doing this. mine were set to 0x389. easy to reset. you are probably already in dev-mode, so just sudo flashrom --wp-disable; sudo flashrom -r bios.bin; sudo gbb_utility -s --flags="0x0" bios.bin; sudo flashrom -w bios.bin
