先作为主站备份 源站:https://my.toho.red

Chromebook BIOS Unlocking and Enterprise Lock Troubleshooting Record

During the past two days at noon, I received a thinkpad c13 yoga. I won't repeat the introduction of this machine here, let's get straight to the point.

When I removed the battery and entered developer mode as usual, I encountered a strange problem: when I pressed ctrl+d to enable developer mode and restarted, it always went to the following page:


To make matters worse, no matter how many times I clicked cancel, it would eventually make two beeps and force a restart. After the restart, it would return to safe mode, and it would be the same no matter how many times I repeated it.

When returning to safe mode, the device would also be reset. This time, when I logged in to my account, I found something strange: enterprise enrollment. After searching, I found that Chromebooks have an enterprise management mode, in which administrators can lock the device at any time and disable developer mode. So the reason is obvious: this machine is unfortunately a "dirty machine" managed by the enterprise, so it is naturally impossible to enable developer mode.

When I learned about this result, my first reaction was to return the product. But in the spirit of being cheap, I continued to look for a solution. Finally, with the help of the Discord expert OlyB, I found a solution: using a programmer to directly connect to the BIOS and forcibly remove the enterprise lock.

As we all know, most of the device parameters of ChromeOS are determined by a field called gbb_flags stored in the BIOS chip, including the enterprise lock status. If the enterprise lock variable is 1, it will refuse to enable developer mode, and naturally it cannot unlock the hardware write protection by removing the battery. However, the BIOS chip itself does not have write protection, which means that the field can be forcibly modified by flashing the BIOS using a programmer, achieving the purpose of removing the protection lock. The theory is there, and the practice begins.

First, you need to prepare the following items:

  1. CH341A programmer
  2. SOP8 clip (you need to confirm whether it is WSON or SOP package in advance, I made a big mistake here)
  3. 1.8V adapter (most newer BIOS chips are 1.8V)

After the preparations are complete, you can start:

First, disassemble the host to expose the motherboard:


Find the BIOS chip (usually marked with Winbond on the surface):


Align the chip clip with the BIOS chip, and connect the programmer to the computer:


Boot the computer into any Linux distribution (I used Ubuntu live here), install the flashrom package, and run the script provided by the expert with root privileges:

cd /tmp
echo "Downloading utilities"
wget https://mrchromebox.tech/files/util/gbb_utility.tar.gz && tar -zxf gbb_utility.tar.gz
wget https://mrchromebox.tech/files/util/vpd.tar.gz && tar -zxf vpd.tar.gz
echo "----------------------"
echo "Press any key to begin"
echo "----------------------"
read -rsn1
echo "Read"
flashrom -p ch341a_spi -i GBB -r GBB.bin
flashrom -p ch341a_spi -i RW_VPD -r RW_VPD.bin
echo "Modify"
./gbb_utility -s --flags=0x8090 GBB.bin
./vpd -f RW_VPD.bin -s check_enrollment=0 -s block_devmode=0
echo "Write"
flashrom -p ch341a_spi -i GBB -w GBB.bin
flashrom -p ch341a_spi -i RW_VPD -w RW_VPD.bin
echo "SUCCESS"

If there are no error outputs after execution, continue with the following steps:

  1. Turn on the computer, press ctrl+d to enter developer mode
  2. After completion, press ctrl+alt+shift+r for powerwash
  3. After powerwash, immediately switch to ctrl+alt+f2 to enter the terminal, log in as "root" and run the following commands:
tpm_manager_client take_ownership
cryptohome --action=remove_firmware_management_parameters

Both commands should display success. If there are errors, downgrade to v110 or lower versions.
4. Press ctrl+alt+f1, then press ctrl+alt+shift+r for powerwash again
5. Done, the protection lock has been successfully removed.

So did I succeed in removing it? Unfortunately, no. Do you remember this sentence I mentioned earlier?

  1. SOP8 clip (you need to confirm whether it is WSON or SOP package in advance, I made a big mistake here)

Yes, the problem lies here. This machine uses WSON8 package, but I bought an SOP8 clip, so it is naturally useless. Actually, buying a WSON8 probe can solve the problem, but after several days of struggling, my patience has been exhausted. I directly returned the product for a refund and bought a machine with Windows already installed, so I didn't have a chance to test whether this script is effective. If you unfortunately encounter this situation, you can try this method and give me feedback.

Finally, I hope everyone can avoid pitfalls when buying Chromebooks, after all, this is already the third Chromebook that I have had trouble with (sigh).

June 6, 2023

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.