FUSE exploits an out-of-bounds write in the Chrome EC firmware update protocol (usb_update.c:619) to gain code execution on the embedded controller of enrolled barla/grunt Chromebooks. From there, it exploits a chain of vboot bugs where FWMP enterprise restrictions are silently ignored when the FWMP read fails in recovery mode (2kernel.c:58, stages.c:206), clearing all enterprise policy flags without touching the TPM. A persistence layer installs itself to the stateful partition so that every subsequent recovery boot automatically opens a VT-2 shell and runs the full bypass chain. The end result is developer mode unlocked, unsigned kernels allowed, and GSC debug access restored on a fully managed device. From there, any Linux distribution boots from USB with no SPI flasher, no Sh1mmer, and no external hardware after first-time setup.
- Target: barla/grunt Chromebook, enterprise enrolled, in normal mode
- Build machine: any Linux/WSL desktop to compile the tools
- USB drive: FAT32 or ext4, labeled
FUSE - External Linux laptop: needed once for first-time bootstrap — connects via USB-C to deliver the EC OOB write before persistence is installed
- Second USB (optional): Debian or any Linux ISO, dd'd, for booting after bypass
1. Build
make2. Copy to USB (label it FUSE)
cp bin/* chain/main_chain.sh stage2_fwmp/barla_bypass.sh \
enrolled/vt2nodev.sh enrolled/install_autostart.sh /mnt/f/3. First-time setup — run once from any shell on the Chromebook
mount /dev/sda1 /tmp/usb && chmod +x /tmp/usb/*
sudo bash /tmp/usb/install_autostart.sh4. Every boot after — plug in USB, enter recovery (Esc+Refresh+Power), wait
- VT-2 shell opens automatically
main_chain.shruns: EC OOB write → FWMP bypass → dev boot flags set → reboots
5. Boot Linux — after reboot, press Ctrl+U and select your Linux USB