├── LICENSE
├── injectsh1mmer.sh
├── tldr.md
├── autoshim.sh
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 rainestorme
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/injectsh1mmer.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | echo "This script automatically injects sh1mmer into a previously built image."
 4 | echo "This assumes that you've either built an RMA shim using AutoShim or that you've sourced your own image."
 5 | echo "This should be passed the path to the image you want to inject sh1mmer into."
 6 | echo "This will take about 5gb of disk space."
 7 | sleep 3
 8 | 
 9 | echo "Installing required packages..."
10 | sudo apt-get update -y
11 | sudo apt-get install -y cgpt
12 | 
13 | echo "Downloading sh1mmer source tree..."
14 | git clone https://github.com/CoolElectronics/sh1mmer.git
15 | 
16 | echo "Downloading Chromebrew tarball..."
17 | cd sh1mmer/wax
18 | wget https://dl.sh1mmer.me/build-tools/chromebrew/chromebrew.tar.gz
19 | 
20 | echo "Copying image to sh1mmer directory..."
21 | cp $1 ./shim.bin
22 | 
23 | echo "Starting image injection via wax.sh..."
24 | sudo ./wax.sh shim.bin
25 | 
26 | echo "Hopefully, sh1mmer worked. If it outputted an error about loopbacks, please press Ctrl+C in the next 3 seconds to cancel the further execution of the script."
27 | sleep 3
28 | 
29 | echo "Copying image to auto-sh1mmer directory..."
30 | cp shim.bin ../../sh1mmer-payload.bin
31 | 
32 | echo "Cleaning up..."
33 | cd ../../
34 | rm -Rf sh1mmer
35 | 
36 | echo "Done! Your image should be located in ./sh1mmer-payload.bin"
37 | echo "You can flash this image to your USB drive using the following command (assuming you're on linux): "
38 | echo "dd if=./sh1mmer-payload.bin of=/dev/sdx    (note: /dev/sdx should be replaced with the block device representing your USB drive. Be careful! DD has been nicknamed 'disk destroyer' for a reason!)"
39 | echo "Or, if you're on Windows, you can use Rufus to flash the image to your USB drive. Just make sure to select 'DD mode' to ensure compatibility."
40 | echo "If you're on macOS, you're screwed. You'll have to use a VM or something."


--------------------------------------------------------------------------------
/tldr.md:
--------------------------------------------------------------------------------
 1 | # auto-sh1mmer
 2 | 
 3 | ## Disclaimer: skids beware!
 4 | 
 5 | Using this project requires a significant bit of knowledge about \*nix shells, the boot process and drive partitioning. Before you even run this on your system, be sure to read through it to understand what it does! I'm **not responsible** if you mess up following the instructions!
 6 | 
 7 | This project does not produce a signed RMA shim. If you want to sign a RMA shim, you need to extract the proprietary components from an official ChromeOS shim, which I will not provide for legal reasons.
 8 | 
 9 | The creator of this project **does not** endorse un-enrolling your Chromebook where it would violate the terms of any legally binding agreement or be illegal in any other fashion. The creator **does not**, under any circumstances, take any liability for what is done with this project.
10 | 
11 | ## Usage
12 | 
13 | > Ye be warned: these are instructions intended for experienced \*nix users! Go back to [README.md](https://github.com/rainestorme/auto-sh1mmer) for simpler instructions!
14 | 
15 | **These instructions are intended to be run on a fresh install of Ubuntu 20.04 LTS Desktop/Server, with at least 45gb of storage space available. Only run these commands as root if the instructions say so.**
16 | 
17 | 1. Clone the repo and `cd` into it.
18 | 2. Find the board that you're building for (see [Building a Shim](https://github.com/rainestorme/auto-sh1mmer)).
19 | 3. Pass that board into `autoshim.sh`: `./autoshim.sh <board>`
20 | 4. When shown a shell prompt with the prefix `(cr)`, run `exit`.
21 | 5. Once finished, you can optionally add the `sh1mmer` payload by running: `./injectsh1mmer.sh ~/chromiumos/chroot/mnt/imgs/build_shim.bin`
22 | 
23 | ## Injecting sh1mmer into a prebuilt shim
24 | 
25 | 1. It's pretty simple. Just run: `./injectsh1mmer.sh /path/to/shim.bin`
26 | 
27 | ## Flashing a USB drive
28 | 
29 | 1. There are a couple of options for this. If you're on \*nix, use `dd` to flash the shim to a drive, or, if you're on Windows, you can use Rufus in `dd` mode. If you're on MacOS, you're screwed. Sorry. Get a better OS.
30 | 
31 | ## Booting the shim
32 | 
33 | 1. Just follow the instructions in [README.md](https://github.com/rainestorme/auto-sh1mmer).
34 | 


--------------------------------------------------------------------------------
/autoshim.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | echo "AutoShim - Automatically builds a RMA shim for the passed chromebook board type"
 4 | echo "This will use around 45GB of disk space. Make sure you have that much available, or else this script will fail!"
 5 | echo "For confirmation: You are currently building a shim for the board type $1."
 6 | echo "At any point within the next 8 seconds, you can press Ctrl+C to cancel."
 7 | sleep 8
 8 | 
 9 | echo "Installing required packages..."
10 | sudo add-apt-repository universe
11 | sudo apt-get update
12 | sudo apt-get install git gitk git-gui curl xz-utils \
13 |     python3-pkg-resources python3-virtualenv python3-oauth2client -y
14 | 
15 | echo "Installing depot_tools..."
16 | git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
17 | export PATH=$(pwd)/depot_tools/:$PATH
18 | 
19 | echo && echo
20 | echo "Reinstalling locales..."
21 | sudo apt-get install locales
22 | 
23 | echo && echo
24 | echo "Ensuring architechture..."
25 | if uname -m | grep '64'; then
26 |   echo "ARCH: 64-bit. You're all good!"
27 | else
28 |   echo "ARCH: 32-bit. Sadly, your system is incompatible."
29 |   exit 1
30 | fi
31 | echo && echo
32 | 
33 | echo "Creating source directory and cloning repo... This will take a lot of disk space (>10gb)"
34 | echo && echo
35 | mkdir -p ~/chromiumos
36 | cd ~/chromiumos
37 | repo init -u https://chromium.googlesource.com/chromiumos/manifest -b main -g minilayout # Minilayout works most of the time. Emphasis on 'most'.
38 | repo sync -j$(nproc)
39 | 
40 | echo && echo
41 | echo "Setting up cros_sdk... (this will take a couple of minutes and about 3GB of disk space)"
42 | echo "Once finished, you will be dropped into a shell. Please type 'exit' to continue the process of building an RMA shim."
43 | echo && echo
44 | sleep 8
45 | cros_sdk -debug # Debug is for verbose output to make sure that it's actually working
46 | 
47 | echo && echo
48 | # Good job, you're not a skid! Thanks for actually reading this to see what it does instead of mindlessly giving other people access to your computer!
49 | # If you're wondering about the weird syntax, it's because I'm using a heredoc to pass commands to the chroot shell through stdin.
50 | echo "Beginning chroot-based build..."
51 | cros_sdk <<EOT
52 | echo "Creating shared point for image..."
53 | mkdir -p /mnt/imgs
54 | echo "Setting up board $1..."
55 | setup_board --board=$1
56 | echo "Building packages for $1..."
57 | build_packages --board=$1
58 | echo "Building RMA shim for board $1"
59 | build_image --board $1 factory_install
60 | mv ~/trunk/src/build/images/$1/latest/factory_install_shim.bin /mnt/imgs/build_shim.bin
61 | EOT
62 | 
63 | echo && echo
64 | echo "Done creating RMA shim! Your image should be located in ~/chromiumos/chroot/mnt/imgs/build_shim.bin"
65 | echo "Leave us a star on GitHub if it worked for you."
66 | echo "If you want to inject the sh1mmer payload (BeautifulWorld) into this shim, run './injectsh1mmer.sh ~/chromiumos/chroot/mnt/imgs/build_shim.bin'."
67 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # auto-sh1mmer
  2 | 
  3 | An automatic set of scripts to build a RMA (factory) shim for a given ChromeOS board and inject the sh1mmer payload (BeautifulWorld).
  4 | 
  5 | ## Regarding Prebuilt Shims
  6 | 
  7 | This repository aims to provide a means to build your own shim from source. However, I also provide prebuilt, signed shims in a convenient mega.nz folder which you can find below. I plan to upload more shims as I build them, as for now only a few are available.
  8 | 
  9 | Folder link: https://mega.nz/folder/DIwBBTxK
 10 | 
 11 | Decryption key: `OO3Ma9bBsnp2x81l2jNSUw`
 12 | 
 13 | ## Disclaimer: Skids beware!
 14 | 
 15 | Using this project requires a significant bit of knowledge about \*nix shells, the boot process and drive partitioning. Before you even run this on your system, be sure to read through it to understand what it does! I'm **not responsible** if you mess up following the instructions!
 16 | 
 17 | This project does not produce a signed RMA shim. If you want to sign a built RMA shim, you need to extract the proprietary components from an official ChromeOS shim, which I will not provide for legal reasons.
 18 | 
 19 | The creator of this project **does not** endorse un-enrolling your Chromebook where it would violate the terms of any legally binding agreement or be illegal in any other fashion. The creator **does not**, under any circumstances, take any liability for what is done with this project.
 20 | 
 21 | ## Experienced Users
 22 | 
 23 | If you know what you're doing and don't need to be held by the hand through the entire process, see [./tldr.md](https://github.com/rainestorme/auto-sh1mmer/blob/main/tldr.md).
 24 | 
 25 | ## Usage
 26 | 
 27 | There are two scripts in this repo: `autoshim.sh` and `injectsh1mmer.sh`. The first one is used to build a RMA shim for a given ChromeOS board, and the second one is used to inject the sh1mmer payload into the shim. If you already have a prebuilt shim, you can skip the first step and go straight to the second one.
 28 | 
 29 | ### Building a shim
 30 | 
 31 | To build a shim, you need to know what board you want to build for. You can see this by visiting `chrome://version` on a Chrome/ChromiumOS device, and looking for the word after `stable-channel`. For example, if you see `stable-channel kindred`, then you want to build for `kindred`.
 32 | 
 33 | A couple of common boards are:
 34 | 
 35 | - `jacuzzi`
 36 | - `kindred`
 37 | - `lars`
 38 | - `grunt`
 39 | 
 40 | Before you start, there are a couple of choices for your environment. You can either use a VM running Ubuntu 20.04 (LTS), or you can use a physical machine running Ubuntu off of a USB stick, which will no doubt provide superior performance. The Gitpod free tier is unable to run this script, as it requires around 35gb of disk space and only 10gb are available. It also does not function on the free tier of Github Codespaces, although they provide a formidable 30gb of storage.
 41 | 
 42 | **No matter how you choose to run your environment, you should be using Ubuntu 20.04 or one of its distributions at a matching version (Xubuntu, Lubuntu, Ubuntu Unity, etc). Kali Linux *will not* work (I'm looking at you, 3kh0)!** 
 43 | 
 44 | **Only run these commands as root if the instructions say so. Stuff will break if your home directory is set to `/root`!**
 45 | 
 46 | No matter what you chose, the steps are the same:
 47 | 
 48 | #### 1. Clone this repo and `cd` into it
 49 | 
 50 | ```bash
 51 | git clone https://github.com/rainestorme/auto-sh1mmer.git
 52 | cd auto-sh1mmer
 53 | ```
 54 | 
 55 | #### 2. Run the `autoshim.sh` script, passing in the board you want to build for
 56 | 
 57 | ```bash
 58 | ./autoshim.sh <board>
 59 | ```
 60 | 
 61 | For example, if you want to build for `kindred`, you would run:
 62 | 
 63 | ```bash
 64 | ./autoshim.sh kindred
 65 | ```
 66 | 
 67 | Wait for the script to finish. It might prompt you for your password a couple of times, in which case just enter it and press enter.
 68 | 
 69 | About halfway through the script, you will be dropped into a terminal. Before you do **anything**, make sure that it says `(cr)` before the shell prompt. An example prompt would look like this:
 70 | 
 71 | ```txt
 72 | (cr) ((...)) you@hostname ~/chromiumos/src/scripts $
 73 | ```
 74 | 
 75 | When you see this, type `exit` and press enter to continue the build process. From here, everything else is automatically done.
 76 | 
 77 | It will take a while, but it will eventually finish. You will know it's finished when you see the following message:
 78 | 
 79 | ```txt
 80 | Done creating RMA shim! Your image should be located in ~/chromiumos/chroot/mnt/imgs/build_shim.bin
 81 | ```
 82 | 
 83 | #### 3. If you don't want to install the sh1mmer payload into the shim, you can skip this step. To inject BeautifulWorld into the shim, run the `injectsh1mmer.sh` script, passing in the path to the shim you just built
 84 | 
 85 | ```bash
 86 | ./injectsh1mmer.sh /path/to/shim
 87 | ```
 88 | 
 89 | If you just built the shim with `autoshim.sh`, then you can just run:
 90 | 
 91 | ```bash
 92 | ./injectsh1mmer.sh ~/chromiumos/chroot/mnt/imgs/build_shim.bin
 93 | ```
 94 | 
 95 | This shouldn't take too long, and once it's done, you'll see the following message:
 96 | 
 97 | ```txt
 98 | Done! Your image should be located in ./sh1mmer-payload.bin
 99 | ```
100 | 
101 | #### 4. Flash the shim to a USB drive
102 | 
103 | If you're using a VM, then you should make sure that you passed through the USB drive to the VM. If you're using a physical machine, then you should make sure that the USB drive is plugged in (obviously). Let's find the path to the USB drive. Run the following command:
104 | 
105 | ```bash
106 | sudo fdisk -l
107 | ```
108 | 
109 | You should see a list of drives. Look for the one that is the size of your USB drive, as well as the brand. It should be something like `/dev/sdX`, where `X` is a letter. If you're not sure, you can unplug the USB drive and run the command again. The drive that disappears is the one you want. Once you've found the drive, run the following command, replacing `/dev/sdX` with the path to your USB drive:
110 | 
111 | If you've injected the sh1mmer payload into the shim, then run:
112 | 
113 | ```bash
114 | dd if=sh1mmer-payload.bin of=/dev/sdX
115 | ```
116 | 
117 | Make sure to replace /dev/sdX with your USB drive path! If you get it wrong, you could easily wipe your primary drive, which, Pro tip: is not good.
118 | 
119 | If you built the shim and didn't inject the sh1mmer payload, then run:
120 | 
121 | ```bash
122 | dd if=~/chromiumos/chroot/mnt/imgs/build_shim.bin of=/dev/sdX
123 | ```
124 | 
125 | Again, make sure to replace /dev/sdX with your USB drive path!
126 | 
127 | Hopefully, you should see a bunch of output, and then it should finish. If you get an error, make sure you're using the correct path to your USB drive, and that the USB drive has enough storage space to hold the shim (16gb minimum).
128 | 
129 | If you don't want to do this through linux, you can use [Rufus](https://rufus.ie/en/) on Windows to flash the shim to a USB drive (ensure that you select `dd` mode when prompted).
130 | 
131 | ### Booting the shim
132 | 
133 | Grab your ChromeOS device (developer mode enabled with `dev_boot_usb` for booting an unsigned image like the one you just made) and boot it into recovery mode. This is done by holding `ESC` and `Refresh` (F3) and then pressing and holding the power button. Release it after a second or so. You should see a screen that looks like either of the following images:
134 | 
135 | <img src="https://sh1mmer.me/assets/recover_black.png" alt="Recovery Mode (newer)" width="400"/>
136 | <img src="https://sh1mmer.me/assets/recover_white.png" alt="Recovery Mode (older)" width="400"/>
137 | 
138 | Press `Ctrl+D` then `Enter` to enter developer mode. Once the device reboots, you should see a screen that looks like either of these:
139 | 
140 | <img src="https://sh1mmer.me/assets/confirm_black.png" alt="Developer Mode (newer)" width="400"/>
141 | <img src="https://sh1mmer.me/assets/confirm_white.png" alt="Developer Mode (older)" width="400"/>
142 | 
143 | This is where the steps differ from traditional ChromeOS developer mode. Press `ESC` and `Refresh` (F3) and then press and hold the power button. Release it after a bit. You should see a very similar screen to the one you saw when you booted into recovery mode.
144 | 
145 | This is where your USB drive comes in. Plug it into the device, then press `ESC`, `Refresh` (F3), and `Power` again. I promise this is the last time. After a brief black-and-white loading screen, you should be greeted with either the screen of options for your device (if you didn't use the sh1mmer payload), or the sh1mmer BeautifulWorld menu (if you did). Although we don't have a screenshot for the options screen due to its dynamic nature, here's a screenshot of the sh1mmer menu:
146 | 
147 | <img src="https://sh1mmer.me/assets/utils-select01.png" alt="sh1mmer menu" width="400"/>
148 | 
149 | From here the rest is up to you. You can, among other things, un-enroll and re-enroll your device, enable USB booting, flash custom firmware, open a shell, disable rootFS verification (write-protect), and disable the lock against developer mode.
150 | 
151 | ### Booting from a USB drive
152 | 
153 | If you want to boot from a USB drive, you can do so by following the steps below. This is not required, but it's a nice feature to have.
154 | 
155 | #### 1. Enable USB booting
156 | 
157 | Boot into the sh1mmer menu, and select `Enable USB booting`. This will run the built-in developer mode command that enables USB booting. Once it's done, reboot the device.
158 | 
159 | #### 2. Activate the hidden USB boot feature
160 | 
161 | At the developer mode confirmation screen, press `Ctrl+U`. This will cause ChromeOS to continue booting from the first USB drive it finds. If you have multiple USB drives, the results of this command are unpredictable. In that case, unplug all USB drives *except* the one you want to boot from before pressing `Ctrl+U`.
162 | 
163 | #### 3. Boot from the USB drive as normal
164 | 
165 | You should be greeted with the USB drive's boot menu, usually GRUB2 or some other bootloader (I'm looking at you, Windows). Proceed with booting it as you normally would.
166 | 
167 | ### Disabling rootFS verification (write-protect)
168 | 
169 | You can disable rootFS verification, which is also known as write-protect, using the sh1mmer menu. This is useful if you want to modify the root filesystem, or if you want to install a custom firmware. To disable rootFS verification, boot into the sh1mmer menu, and select `Disable rootFS verification`. From here, reboot the device. You should now be able to modify the root filesystem, install custom firmware, use the `rw` flag, and more.
170 | 
171 | ### Enabling developer mode
172 | 
173 | You can also enable developer mode so that you can access the developer shell and the `chronos` and `root` accounts through `crosh`. You can do this by booting into the sh1mmer menu, and selecting `Enable developer mode`. However, you should be aware that this will not stop enterprise enrollment from blocking various aspects of your device's functionality. For optimal results, you should also un-enroll your device.
174 | 
175 | 
176 | 


--------------------------------------------------------------------------------