Skip to content

thelitzproject/fuse

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

FUSE

FUSE exploits an out-of-bounds write in the Chrome EC firmware update protocol (usb_update.c:619) to gain code execution on the embedded controller of enrolled barla/grunt Chromebooks. From there, it exploits a chain of vboot bugs where FWMP enterprise restrictions are silently ignored when the FWMP read fails in recovery mode (2kernel.c:58, stages.c:206), clearing all enterprise policy flags without touching the TPM. A persistence layer installs itself to the stateful partition so that every subsequent recovery boot automatically opens a VT-2 shell and runs the full bypass chain. The end result is developer mode unlocked, unsigned kernels allowed, and GSC debug access restored on a fully managed device. From there, any Linux distribution boots from USB with no SPI flasher, no Sh1mmer, and no external hardware after first-time setup.


Requirements

  • Target: barla/grunt Chromebook, enterprise enrolled, in normal mode
  • Build machine: any Linux/WSL desktop to compile the tools
  • USB drive: FAT32 or ext4, labeled FUSE
  • External Linux laptop: needed once for first-time bootstrap — connects via USB-C to deliver the EC OOB write before persistence is installed
  • Second USB (optional): Debian or any Linux ISO, dd'd, for booting after bypass

How To

1. Build

make

2. Copy to USB (label it FUSE)

cp bin/* chain/main_chain.sh stage2_fwmp/barla_bypass.sh \
   enrolled/vt2nodev.sh enrolled/install_autostart.sh /mnt/f/

3. First-time setup — run once from any shell on the Chromebook

mount /dev/sda1 /tmp/usb && chmod +x /tmp/usb/*
sudo bash /tmp/usb/install_autostart.sh

4. Every boot after — plug in USB, enter recovery (Esc+Refresh+Power), wait

  • VT-2 shell opens automatically
  • main_chain.sh runs: EC OOB write → FWMP bypass → dev boot flags set → reboots

5. Boot Linux — after reboot, press Ctrl+U and select your Linux USB

About

Chrome EC OOB write via USB-C firmware update protocol

Resources

License

Stars

Watchers

Forks

Contributors