zsx

zsx

先作为主站备份 源站:https://my.toho.red

Chromebook BIOS Unlocking and Enterprise Lock Troubleshooting Record

During the past two days at noon, I received a thinkpad c13 yoga. I won't repeat the introduction of this machine here, let's get straight to the point.

When I removed the battery and entered developer mode as usual, I encountered a strange problem: when I pressed ctrl+d to enable developer mode and restarted, it always went to the following page:


684211727c59356cede8aab3178587fec673c971afba1723193941b2a653069a

To make matters worse, no matter how many times I clicked cancel, it would eventually make two beeps and force a restart. After the restart, it would return to safe mode, and it would be the same no matter how many times I repeated it.

When returning to safe mode, the device would also be reset. This time, when I logged in to my account, I found something strange: enterprise enrollment. After searching, I found that Chromebooks have an enterprise management mode, in which administrators can lock the device at any time and disable developer mode. So the reason is obvious: this machine is unfortunately a "dirty machine" managed by the enterprise, so it is naturally impossible to enable developer mode.

When I learned about this result, my first reaction was to return the product. But in the spirit of being cheap, I continued to look for a solution. Finally, with the help of the Discord expert OlyB, I found a solution: using a programmer to directly connect to the BIOS and forcibly remove the enterprise lock.

As we all know, most of the device parameters of ChromeOS are determined by a field called gbb_flags stored in the BIOS chip, including the enterprise lock status. If the enterprise lock variable is 1, it will refuse to enable developer mode, and naturally it cannot unlock the hardware write protection by removing the battery. However, the BIOS chip itself does not have write protection, which means that the field can be forcibly modified by flashing the BIOS using a programmer, achieving the purpose of removing the protection lock. The theory is there, and the practice begins.

First, you need to prepare the following items:

  1. CH341A programmer
  2. SOP8 clip (you need to confirm whether it is WSON or SOP package in advance, I made a big mistake here)
  3. 1.8V adapter (most newer BIOS chips are 1.8V)

After the preparations are complete, you can start:

First, disassemble the host to expose the motherboard:

88e7b43467996395dba1c5c3157ddb7b3f5481a84d900a493b1d8b68fad1d34b

Find the BIOS chip (usually marked with Winbond on the surface):

1001fcde58e9a051e0782c5e240f967e810f99be7419834d3c3aaf27c35e82d6

Align the chip clip with the BIOS chip, and connect the programmer to the computer:

619c2f2aba3fbded1bc4b18abe59089584b60fb3a1f70e1e2fbaf0769a471214

Boot the computer into any Linux distribution (I used Ubuntu live here), install the flashrom package, and run the script provided by the expert with root privileges:

cd /tmp
echo "Downloading utilities"
wget https://mrchromebox.tech/files/util/gbb_utility.tar.gz && tar -zxf gbb_utility.tar.gz
wget https://mrchromebox.tech/files/util/vpd.tar.gz && tar -zxf vpd.tar.gz
echo "----------------------"
echo "Press any key to begin"
echo "----------------------"
read -rsn1
echo "Read"
flashrom -p ch341a_spi -i GBB -r GBB.bin
flashrom -p ch341a_spi -i RW_VPD -r RW_VPD.bin
echo "Modify"
./gbb_utility -s --flags=0x8090 GBB.bin
./vpd -f RW_VPD.bin -s check_enrollment=0 -s block_devmode=0
echo "Write"
flashrom -p ch341a_spi -i GBB -w GBB.bin
flashrom -p ch341a_spi -i RW_VPD -w RW_VPD.bin
echo "SUCCESS"

If there are no error outputs after execution, continue with the following steps:

  1. Turn on the computer, press ctrl+d to enter developer mode
  2. After completion, press ctrl+alt+shift+r for powerwash
  3. After powerwash, immediately switch to ctrl+alt+f2 to enter the terminal, log in as "root" and run the following commands:
tpm_manager_client take_ownership
cryptohome --action=remove_firmware_management_parameters

Both commands should display success. If there are errors, downgrade to v110 or lower versions.
4. Press ctrl+alt+f1, then press ctrl+alt+shift+r for powerwash again
5. Done, the protection lock has been successfully removed.

So did I succeed in removing it? Unfortunately, no. Do you remember this sentence I mentioned earlier?

  1. SOP8 clip (you need to confirm whether it is WSON or SOP package in advance, I made a big mistake here)

Yes, the problem lies here. This machine uses WSON8 package, but I bought an SOP8 clip, so it is naturally useless. Actually, buying a WSON8 probe can solve the problem, but after several days of struggling, my patience has been exhausted. I directly returned the product for a refund and bought a machine with Windows already installed, so I didn't have a chance to test whether this script is effective. If you unfortunately encounter this situation, you can try this method and give me feedback.

Finally, I hope everyone can avoid pitfalls when buying Chromebooks, after all, this is already the third Chromebook that I have had trouble with (sigh).

June 6, 2023

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.