index.html

<!-- ignore bad everything src plz -->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>BR1CK</title>
    <link rel="stylesheet" href="style.css">
    <script src="tilt-card.js"></script>
    <link rel="icon" type="image/x-icon" href="/favicon/favicon.ico">
    <script src="https://cdnjs.cloudflare.com/ajax/libs/pako/2.1.0/pako.min.js"></script>
    <meta property="og:title" content="BR1CK">
    <meta property="og:description" content="Unenrollment via creating an empty FWMP TPM space.">
    <meta property="og:image" content="/favicon/android-chrome-192x192.png">
</head>
<body>
    <header>
        <center><img src="images/br1ck.png" width="420"></center>
        <h2 id="join-button"><em>By <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a></em><br>
    </header>

    <main>
        <section> 
            <h2>what even is BR1CK?</h2>
            <p>BR1CK was an exploit released October 27th, 2024 which takes advantage of an oversight while creating FWMP in the TPM. It is capable of unenrolling all devices without platform FWMP on any version below v132. </p>
            <small>Scroll down to see if your device is compatible</small>
        </section>
        <section> 
            <h2>so, how does it work?</h2>
            <p>The exploit works because of an issue that these chromebooks have when enrolling. If you EC reset<sup>[1]</sup> <span class="highlight">↻+⏻</span> at just the right time, it will interupt the creation process and leave you with a blank FWMP. This bricks because its unexpected for FWMP to exist but have no value. <sup>[2]</sup> This state of no FWMP means we can unenroll since we aren't under it's control<sup>[3]</sup>. This allows us to boot into sh1mmer, unenroll, and fix the brick with <span class="highlight">gsctool -a -o</span></p>
            <small>1. EC reset = the 2 keys used to forcefully restart the chromebook<br>2. FWMP TPM space = the data used by ChromeOS for enrollment related stuff<br>3. While FWMP is applied, protections are made to stop it from getting removed. These protections are blocking dev mode, blocking debug cabels, and more which prevents unenrollment</small>
        </section>
        <section>
            <h2>how did you even find this?</h2>
            <p>While trying to do CRSH2TTY<sup>[1]</sup>, I ended up bricking my device multiple times (a total of four). One time, I randomly tried to disable write protection while unbricking with a SuzyQ (debug cable), and surprisingly, it worked! This led to the discovery that FWMP doesn't apply while FWMP is corrupted. This functionality is stored in the read-only firmware, which means Google would have to produce updated Chromebooks with the fix to stop this.<br>
            <small>All of my exploits have been made due to CRSH2TTY in some way.<br>1. CRSH2TTY was a (now patched) unenrollment exploit that required resetting at specific times, similar to BR1CK<br></small></p>
        </section>
        <section> 
            <h2>what do i need to do this?</h2>
            <p>1. Luck (or skill, because you can get it consistently)<br>
            <details><summary>2. A board that is not platform FWMP (click arrow for more info)</summary>
                As of October 29, 2024, if you have one of the boards listed below, you cannot do the exploit:<br>
                <i>nissa, corsola, brya, brask, cherry, guybrush, skyrim, rex, staryu, geralt</i><br>
                <span style="color:cyan">How do I find my board name?</span><br>
                <small id="boardname">Go to <a href="chrome://version">chrome://version</a>, click <span class="highlight">Ctrl + F</span> and search for "stable-channel" the word after that is your board</small><br>
            </details>
            3. (PREFERABLY) access to <a href="chrome://network#logs">chrome://network#logs</a><br>
            4. A leaked shim, a USB drive, and another pc to flash it
            4.1. if you have a keyrolled <span class="highlight">dedede</span> then you can buy a <a href="https://www.ebay.com/itm/335130747039">suzy qable</a><small>(highly recommend this seller, bought from them and they're highly reputable)</small> and use alternative steps i can provide/walk you through
            </p>
        </section>
        <section>
            <h2>how do i perform this exploit?</h2>
            <p>Backup anything that is not sync'd to your google account (mainly files)</p><p>It is a good idea to read these instructions on another device like a phone, you will not be able to access this guide on the chromebook you are using</p>
            <p><details style="line-height:1.75;font-size:15px;">
                <summary><b>[RECOMMENDED] For users with chrome://network#logs (can't be policy blocked, can't use oobescape)</b></summary>
                1. Go to the <a href="#timer">section below this one</a> (finding the reset times), go through the process, and memorize the time it gives you, then continue<br>
                2. Powerwash again by signing out, pressing Ctrl+Alt+Shift+R<br>
                3. Proceed through the setup, when "Getting device ready" pops up, get a stopwatch ready and wait for the next "Enterprise enrollment" screen. <br>
                4. When "Enterprise enrollment" pops up, start your stopwatch.<br>
                5. Wait until you're in the ranges of time (I would go for the higher end) the file uploader gave you, perform an EC-Reset by <span class="highlight">↻+⏻</span>.<br>
                6. If chrome turns back on and you get one of the following screens, proceed, otherwise, keep trying (this may take ages but most people can get it in 2-20 tries)<br><center>
                    <img src="images/chromeosismissingordamaged.jpg" style="width:30vh;height:30vh"></img>
                    <img src="images/somethingwentwrong.jpg" style="width:40vh;height:30vh"></img><br>
                    <small>if you click tab on either of these, under recovery reason it should say something about an error in the TPM</small></center>
                <details><summary>7. Once bricked, get a <a href="https://dl.darkn.bio/SH1mmer/Prebuilt/Legacy">shim</a> (this guide will be using legacy, view arrow for more info)<br></summary>
                    To flash a shim you will need a secondary computer or a different way to connect a usb to a device (yes there are mobile methods if you have the correct connector)<br>
                    1. Head to the link above (https://dl.darkn.bio/SH1mmer/Prebuilt/Legacy)<br>
                    2. Download the shim corresponding to your board<br>
                    Now here's the hard part, flashing<br>
                    4. Use one of the following pieces of software:<br>
                    <a href='https://chromewebstore.google.com/detail/pocpnlppkickgojjlmhdmidojbmbodfm'>CRU Extension</a><br>
                    <a href='https://rufus.ie'>Rufus</a><br>
                    <a href='https://etcher.balena.io'>BalenaEtcher</a><br>
                    (if your on linux you can also use dd)<br>
                    <br>
                    <b>this guide will use the CRU extension</b><br>
                    5. Open CRU and click the setting icon in the top right<br>
                    6. Select the option containing "Local file"<br>
                    7. Select your shim in the file manager<br>
                    8. Select your USB<br>
                    9. Wait for it to finish flashing, when it's done you can take it out and continue<br>
                </details>
                
                <small>If you don't know your board name and still went on with these steps, you can look it up by entering the model name at the bottom on a site like <a href="https://cros.tech">cros.tech</a></small><br>
                8. Press <span class="highlight">ESC + ↻ + ⏻</span> then click <span class="highlight">CTRL + D</span>, then <span class="highlight">enter</span> to enable developer mode (It doesn't matter if it's blocked), and then <span class="highlight">ESC + ↻ + ⏻</span> to enter recovery mode.<br>
                9. Plug in your shim USB<br>
                <small>If you get a screen saying "the device does not contain ChromeOS"/"no valid image" you either chose the wrong shim for your board, didn't go into developer mode, bad flash, bad file, or you've been keyrolled (and cannot continue)</small><br>
                10. When the shim boots, type <span class="highlight">D</span> to select "Deprovision"<br>
                11. Next, type <span class="highlight">B</span> to open a bash shell, this is where we'll unbrick<br>
                12. Type the following command:<pre class="highlight">gsctool -a -o</pre>Press the power button whenever it spams "Press PP button now!" (this will take awhile) <small>whenever it says "Another press will be required" it is telling you to wait, you may have to wait for a minute or even more.</small><br>
                13. Once you're at the end of that process you should reboot and you'll be back at the "Welcome!" screen. (if you don't reboot/gsctool doesn't work, proceed to the bottom section, "errors while unbricking")<br>
                14. Get back into developer mode by pressing <span class="highlight">ESC + ↻ + ⏻</span>, then <span class="highlight">CTRL + D</span>, then <span class="highlight">enter</span>.<br> 
                15. Either press <span class="highlight">CTRL + D</span> if you're on a <span style="color:white;">"OS verification is OFF"</span> white screen, or <span class="highlight">enter</span> if you're on a <span style="color:gray;">"You are in developer mode"</span> black screen. (keep this in mind if you want to stay in developer mode, you will have to do this each time you power it on)<br>
                16. You may get a "Your system is transitioning into Developer Mode" screen, wait for the 5 minute timer to finish, then follow step 15 again to boot into ChromeOS.<br>
                17. Start setting up your chromebook in OOBE by clicking <span class="highlight">Get Started</span>, going through WiFi, and continuing. Then prepare for the next step. <br>
                18. When it says <span class="highlight">Enterprise Enrollement</span> boot into recovery mode <span class="highlight">(ESC + ↻ + ⏻)</span> <br>
                19. Boot the shim<br>
                20. Run deprovise (D), then reboot (e), boot and you should be unenrolled!<br>
                <small>join <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a> on discord for help with anything (MAKE SURE TO READ EVERYTHING FIRST)</small>
            </details></p>
            <p><details style="line-height:1.75;font-size:15px;">
                <summary><b>[REALLY HARD AND LUCK BASED] For users WITHOUT chrome://network#logs</b></summary>
                1. Powerwash by signing out, pressing Ctrl+Alt+Shift+R, and following the instructions.<br>
                2. Proceed with the setup until you get to the "Getting device ready" screen.<br>
                3. Get a stopwatch ready and wait for the "Enterprise enrollment" screen.<br>
                3.5. Start your stopwatch and record how long it took for enrollment to finish <br>
                4. Take the time it took, take around 1-1.5 seconds off the time it took to enroll, proceed<br>
                5. Powerwash again by following step 1, go through the setup, and when you get to the "Enterprise enrollment" screen, start your stopwatch and wait for the time you got from step 4, perform an EC-Reset by <span class="highlight">↻+⏻</span>.<br>
                6. If chrome turns back on and you get one of the following screens, proceed, otherwise, keep trying (this may take ages but most people can get it in 2-20 tries)<br><center>
                    <img src="images/chromeosismissingordamaged.jpg" style="width:30vh;height:30vh"></img>
                    <img src="images/somethingwentwrong.jpg" style="width:40vh;height:30vh"></img><br>
                    <small>if you click tab on either of these, under recovery reason it should say something about an error in the TPM</small></center>
                <details><summary>7. Once bricked, get a <a href="https://dl.darkn.bio/SH1mmer/Prebuilt/Legacy">shim</a> (this guide will be using legacy, view arrow for more info)<br></summary>
                    To flash a shim you will need a secondary computer or a different way to connect a usb to a device (yes there are mobile methods if you have the correct connector)<br>
                    1. Head to the link above (https://dl.darkn.bio/SH1mmer/Prebuilt/Legacy)<br>
                    2. Download the shim corresponding to your board<br>
                    Now here's the hard part, flashing<br>
                    4. Use one of the following pieces of software:<br>
                    <a href='https://chromewebstore.google.com/detail/pocpnlppkickgojjlmhdmidojbmbodfm'>CRU Extension</a><br>
                    <a href='https://rufus.ie'>Rufus</a><br>
                    <a href='https://etcher.balena.io'>BalenaEtcher</a><br>
                    (if your on linux you can also use dd)<br>
                    <br>
                    <b>this guide will use the CRU extension</b><br>
                    5. Open CRU and click the setting icon in the top right<br>
                    6. Select the option containing "Local file"<br>
                    7. Select your shim in the file manager<br>
                    8. Select your USB<br>
                    9. Wait for it to finish flashing, when it's done you can take it out and continue<br>
                </details>
                <small>If you don't know your board name and still went on with these steps, you can look it up by entering the model name at the bottom on a site like <a href="https://cros.tech">cros.tech</a></small><br>
                8. Press <span class="highlight">ESC + ↻ + ⏻</span> then click <span class="highlight">CTRL + D</span>, then <span class="highlight">enter</span> to enable developer mode (It doesn't matter if it's blocked), and then <span class="highlight">ESC + ↻ + ⏻</span> to enter recovery mode.<br>
                9. Plug in your shim USB<br>
                <small>If you get a screen saying "the device does not contain ChromeOS"/"no valid image" you either chose the wrong shim for your board, didn't go into developer mode, bad flash, bad file, or you've been keyrolled (and cannot continue)</small><br>
                10. When the shim boots, type <span class="highlight">D</span> to select "Deprovision"<br>
                11. Next, type <span class="highlight">B</span> to open a bash shell, this is where we'll unbrick<br>
                12. Type the following command:<pre class="highlight">gsctool -a -o</pre>Press the power button whenever it spams "Press PP button now!" (this will take awhile) <small>whenever it says "Another press will be required" it is telling you to wait, you may have to wait for a minute or even more.</small><br>
                13. Once you're at the end of that process you should reboot and you'll be back at the "Welcome!" screen. (if you don't reboot/gsctool doesn't work, proceed to the bottom section, "errors while unbricking")<br>
                14. Get back into developer mode by pressing <span class="highlight">ESC + ↻ + ⏻</span>, then <span class="highlight">CTRL + D</span>, then <span class="highlight">enter</span>.<br> 
                15. Either press <span class="highlight">CTRL + D</span> if you're on a <span style="color:white;">"OS verification is OFF"</span> white screen, or <span class="highlight">enter</span> if you're on a <span style="color:gray;">"You are in developer mode"</span> black screen. (keep this in mind if you want to stay in developer mode, you will have to do this each time you power it on)<br>
                16. You may get a "Your system is transitioning into Developer Mode" screen, wait for the 5 minute timer to finish, then follow step 15 again to boot into ChromeOS.<br>
                17. Start setting up your chromebook in OOBE by clicking <span class="highlight">Get Started</span>, going through WiFi, and continuing. Then prepare for the next step. <br>
                18. When it says <span class="highlight">Enterprise Enrollement</span> boot into recovery mode <span class="highlight">(ESC + ↻ + ⏻)</span> <br>
                19. Boot the shim<br>
                20. Run deprovise (D), then reboot (e), boot and you should be unenrolled!<br>
                <small>join <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a> on discord for help with anything (MAKE SURE TO READ EVERYTHING FIRST)</small>
            </details></p>

        </section>
        <section id="timer">
            <h2>finding the reset times</h2>
            <h3>how to use this?</h3>
            <p>
                1. Powerwash by going into recovery mode <span class="highlight">ESC + ↻ + ⏻</span>, clicking <span class="highlight">ctrl + d</span>, waiting for reboot, then returning to secure mode <small><b>(DON'T POWERWASH THE NORMAL WAY!!)</b></small> <br>
                2. Go to <a href="chrome://network#logs">chrome://network#logs</a><br>
                2. Under the options section check all of the boxes. <br> <small>You can just select the bottom 2 options if you care.</small><br>
                3. Place the <span class="highlight">combined-logs.tar.gz</span> file into the dropzone below. <br>
                <small>If you experience an error ask for help in <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a> </small>
                <br>
                4. The reset timing will appear below the dropzone <br>
            </p>

            <div class="dropzone" id="dropzone">
                Drop your combined-logs_******-******.tar.gz file here
                <br>or<br>
                <input type="file" id="fileInput" accept=".tar.gz">
            </div>
            <div class="progress">
                <div class="progress-bar">
                    <div class="progress-fill"></div>
                </div>
            </div>
            <div id="reset-text"></div>
            <script src="script.js"></script> <!-- do not shift the script src. this is to ensure the elements above have loaded first. -->
            <p>
            <span style="color: #ed8796;">Please report bugs to <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a> on discord</span></p>
        </section>
        <section>
            <h2>errors</h2>
            <details>
                <summary>Could not parse for 'Show enrollment screen'</summary>
                <p>
                    Powerwash and try again, if you continue to see this ask for help in <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a>
                </p>
            </details>
            <details>
                <summary><span class="highlight">gsctool -a -o</span> immediately exits with no output and doesn't reboot</summary>
                <p>
                    1. Run <span class="highlight">gsctool -a -k</span><br>
                    2. Run <span class="highlight">gsctool -a -o</span><br>
                </p>
            </details>
            <details>
                <summary><span class="highlight">gsctool -a -o</span> isn't rebooting, but you went through the pp process</summary>
                <p>
                    1. boot into the shim <br>
                    2. go into the factory install part of sh1mmer with <span class="highlight">f + enter</span> <br>
                    3. select the option corressponding to tpm reset <br>
                    4. do that twice <br>
                    5. boot back into the shim <br>
                    6. run the following: Deprovision, Disable Dev Block, Allow booting from USB <br>
                    7. open the bash terminal with <span class="highlight">b</span> <br>
                    8. run <span class="highlight">gsctool -a -k</span> followed by <span class="highlight">gsctool -a -o</span> <br>
                </p>
            </details>
            <details>
                <summary>still enrolling after completing the guide</summary>
                <p>
                    make sure you've done steps 17-20
                    1. stay in dev mode (DON'T LEAVE OR U MIGHT BE COOKED!)\n
                    2. join <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a> for help lol
                </p>
            </details>
            <details>
                <summary>HELP PLEASE I'M STUCK ON STEP 8</summary>
                <p>
                    <video controls>
                        <source src="images/IMG_3168.mov" type="video/mp4"></video>
                </p>
            </details>
            <span style="color: #ed8796;">if these don't work, please report the error to <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a> on discord</span>
        </section>
        <br>
        <footer>
            <h3>Credits:</h3>
            <p>
                <strong><a href="https://discord.com/users/758049822409228348">byte</a></strong> - Pioneering the development of this, finding the original bug, and coming up with the log consistency idea, and creating the majority of the website.<br>
                <strong><a href="https://discord.com/users/476169716998733834">OlyB</a></strong> - Found out when we were supposed to restart, all we had left was figuring out when that was.<br>
                <strong><a href="https://discord.com/users/828015910127271986">silk</a></strong> - Reproducing the bug first and confirming I wasn't insane<br>
                <strong><a href="https://discord.com/users/829745505784692776">darkn</a></strong> - Providing shims (dl.darkn.bio)<br>
                <strong><a href="https://discord.com/users/1113978877010788432">kilo</a></strong> - Even if he didn't reproduce, he tested SO much (literal hours), major respect to him 🫡<br>
                <strong><a href="https://discord.com/users/1162193398879502336">doxr</a></strong> - existing (also cleaning up the website, dont read the source)<br>
                <strong><a href="https://discord.com/users/769374081991835659">peap</a></strong> - Gave me logs which made it possible to reproduce (it was a whole second inaccurate before him)<br>
                <strong><a href="https://discord.com/users/1209096766075703368">appleflyer</a></strong> - adding direct log archive parsing functionality for calculating timings and bytes emotional support + helping a lil :><br>
                <strong><a href="https://discord.com/users/693274900731002931">Windows XP</a></strong> - Making the guide easier to read and skid-friendly. <a href="http://blog.whale.x10.mx">Also a Whale Inc. member</a><br>
                <strong><a href="https://discord.com/users/1157735898344063069">TNTCrazyError</a></strong> - That goofy ahh video<br>
                <hr>I have left TN (Titanium Network), for support join <a href="https://discord.gg/Pb6qUkacpj">Copernicium</a> or dm <a href="https://discord.com/users/758049822409228348">me</a> <br>
            </p>
        </footer>
    </main>
</body>
</html>