Skip to content
Titanium Network

Sh1ttyExec

Sh1ttyExec is an exploit that can be used to run unverified recovery images on a keyrolled device
By lxrd

Steps

Section titled “Steps”
  1. Powerwash the device
  2. Start enrolling the device then open powerwash menu (ctrl+alt+shift+r) on Enrollmet screen not the please wait and wait till it crashes back to OOBE
  3. Try enrolling again but the moment enrollment starts (the screen that says enrollment, not please wait) esc+refresh+power ( its timing sensitive so don’t expect to get it first try), and you are done, block_devmode is set to 0 and you can do bad reco unverified which can help facilitate exploits/unenrollments like quicksilver on keyrolled devices (kv6). To enter an unverified recovery image, esc+refresh+power then ctrl+d and enter, esc+refresh+power again and plug in usb.

Explanation: This is due to the fact that when you enroll you go through state determination and if you crash back to oobe and try to enroll again, state determination happens a second time. As a result, it tries to clear fwmp but it can’t because the tpm is locked, however it does set block_devmode in vpd to 0. Shortly after, it sets it back to 1 but we can simply restart or enter recovery menu before it is able to. This allows us to boot unverified recovery images and gain/lead to code execution via badrecovery unverified. A project called recomm3r is being released by carbon soon which is an unverified recovery image that has a clean GUI and many utilities like sh1mmer.

Video tutorial:

https://drive.google.com/file/d/1Z4Lv82w_QGy-TTdSvdMAu0gf8NOJyKfx/view