Chromebook SH1MMER exploit promises admin jailbreak
Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.
SH1MMER – you may pronounce the “1” as an “i” – is a shim exploit, or more specifically, a weaponized Return Merchandise Authorization (RMA) shim. A shim is Google-signed software used by hardware service vendors for Chromebook diagnostics and repairs.
With a shim that has been processed and patched, managed Chromebooks can be booted from a suitably prepared recovery drive in a way that allows the device setup to be altered via the SH1MMER recovery screen menu.
“You will now be able to, among other things, unenroll your Chromebook,” the Mercury Group explains on its exploit website. “It will now behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions. After you do this and get past the ‘determining device configuration’ screen, you will be able to actually turn dev mode on.”
An RMA shim incorporates the Chrome OS factory bundle components, with the factory install shim, a release image, a test image, a factory toolkit, a HWID (hardware identification) bundle, and possibly other elements. It may be universal or board-specific.
Building a universal RMA shim involves using Google’s image_tool to download the factory software bundle, modify it with the necessary components, and create a binary that then gets flashed to a USB drive. A Chromebook in developer mode can then be rebooted from that drive image and evaluated for potential repairs.
Those using managed Chromebooks – 50 million teachers and students, by Google’s count – don’t normally have developer mode enabled. But SH1MMER can be applied regardless using the Chromebook Recovery Utility extension, a browser extension for creating recovery media (e.g. a recovery USB drive or SD card).
Doing so requires obtaining and patching a board-specific RMA shim that’s been leaked online or obtained through hacking and then patching using the exploit builder. The tool works because, as one of the hackers involved (CoolElectronics#4683) explains, only kernel partitions are checked for signatures by ChromeOS firmware. Other partitions can be edited after the forced readonly bit is removed.
In a statement provided to The Register, a Google spokesperson said, “We are aware of the issue affecting a number of ChromeOS device RMA shims and are working with our hardware partners to address it.”
The Mercury Group, 15 hackers credited with developing the project (including one who claims to be a student), warns that some pre-patched binaries found online may brick Chromebooks when applied. They advise patching a known valid shim rather than just trusting files found online. That said, they’ve posted a list of raw shims.
The hardware liberators suggest adding a personal account first on an unenrolled device and then adding a school account to enable switching back and forth to an uncontrolled environment. They also state that they do not endorse SH1MMER or device unenrollment as a means to cheat at school.
In a discussion on Hacker News, IT types who developed their skills by breaking the less sophisticated systems of yore expressed sympathy for students trying to escape administrative control.
A company statement published online advises customers to take steps to watch for devices that have not synced recently, to disable enrollment permission for most users, to block downloads of the Chrome Recovery Utility extension, to block access to chrome://net-export in order to prevent the capture of wireless credentials, and to block access to websites distributing exploit tools like sh1mmer.me. ®