Br0ker
Br0ker is an unenrollment exploit for Kernver 5.
By OlyB
By OlyB
It requires you to be on v132 or lower, which can be achieved by downgrading to v132 LTS. You can also get the bundled update with Sh1mmer, by building with it’s update payload
How do I use Br0ker?
Section titled “How do I use Br0ker?”Sh1mmer only:
- Boot Sh1mmer
- Select
Payloads - Select
Br0ker (unenrollment up to kernver 5)
BadApple + Sh1mmer:
- Enter BadApple
- Plug in your Sh1mmer USB drive
- Find your USB device by running
and noting what shows up. (We’ll be using /dev/sdX as an example, but you must replace “X” with the correct letter.)ls /dev/sd*
- Run these commands:
mkdir -p /mnt/sh1mmermount -o ro /dev/sdX /mnt/sh1mmersh /mnt/sh1mmer/root/noarch/payloads/br0ker.sh
Sh1ttyOOBE + BadRecovery + Sh1mmer (v135-137)
- Perform Sh1ttyOOBE, press [Esc+Ref+Pwr], and enter developer mode
- Enter unverified BadRecovery, ignore errors, and wait for the shell.
- Once it fully loads, unplug the USB drive used for BadRecovery
- Plug in your Sh1mmer USB drive
- Find your USB device by running
and noting what shows up. (We’ll be using /dev/sdX as an example, but you must replace “X” with the correct letter.)ls /dev/sd*
- Run these commands:
mkdir -p /mnt/sh1mmermount -o ro /dev/sdX /mnt/sh1mmersh /mnt/sh1mmer/root/noarch/payloads/br0ker.sh
Sh1ttyOOBE + BadBr0ker (v135-137)
- Perform Sh1ttyOOBE, press [Esc+Ref+Pwr], and enter developer mode.
- Enter BadBr0ker.
- While still in developer mode, press [Ctrl+Alt+Ref], login as “root” run the following commands.
echo --enterprise-enable-unified-state-determination=never >/tmp/chrome_dev.confecho --enterprise-enable-forced-re-enrollment=never >>/tmp/chrome_dev.confecho --enterprise-enable-initial-enrollment=never >>/tmp/chrome_dev.confmount --bind /tmp/chrome_dev.conf /etc/chrome_dev.confinitctl restart ui
- Press [Ctrl+Alt+GoBack] and set up the device fully through the setup process. DO NOT POWER OFF THE DEVICE UNTIL FULLY SETUP, OR UNENROLLMENT WILL FAIL.