Darkn's Blog

Written Blogs by Darkn

Properly Bypassing The Tsunami (v114+)

Darkn's avatar
Properly Bypassing The Tsunami (v114+)

If you’re here just for instructions, click here.

One day I was looking around a person’s blog when I stumbled across one of their posts named “Breaking chromeOS’s enrollment security model: A postmortem”. I was intrigued, but there were a few things that were wrong with their post which prompted me to create a post of my own with the correct fixes.

As of Dec 27, 2023, their blog has fixed the incorrect listed pins.


Bypassing Instructions

Please understand that I DO NOT RECOMMEND DOING THIS. It is risky, dangerous, and not easy to do for beginners. Please attempt at your own risk. Any damages made is your own fault. Not mine, or others.

As of Sep 29, 2024: Those using Ti50 chip devices (CORSOLA and NISSA atm) are HEAVILY DISCOURAGED from following this guide. Upon modfying the GBB flags, RO verification fails and since you’re still enrolled with FWMP, the device is bricked. Please know, THIS IS ONLY FOR TI50 BOARDS. OCTOPUS, JACUZZI, etc, are fine to bypass The Tsunami.

Necessary Items:

  • Conductive Material: Staple, Tin Foil, Paperclip, etc.
  • Scissors: $4 avg.
  • Tape: $4 avg. (Recommended, but optional)

Other Requirements:

  • USB or SD Card with SH1MMER
  • Screwdriver corresponding to your Chromebook screws
  • Competence and courage, because I don’t recommend this.

Opening The Chromebook

First, you will need to open up your Chromebook using, most likely, a Phillips screwdriver. After that, disconnect the battery on the Chromebook. Methods to disconnect the connector may vary on each model.

Battery Connector 2Battery Connector 2
Examples of Battery Connector

Afterword, look around the Chromebook motherboard and look for a small 8-pin chip with pins sticking out or in. These chips tend to have WINBOND or GIGADEVICE branding, and may either say 25Q64[xx] or 25Q128[xx] right below the branding. You may need to flip over the motherboard to find this chip.

Your Chromebook may have multiple of these chips, just look for the one that is most similar to the description stated or most similar to the pictures provided below.

Please understand that the SOIC-8 chip, the one on the left or appears second, is much easier to bridge than the WSON-8 chip, the one on the right or appears first.

WSON-8 chipSOIC-8 chip
SOIC-8 chip (left) - WSON-8 chip (right)

Bridging Pins

Now you’re going to have to use the picture(s) below as reference on what pins to bridge, as this is important. These are the charts for both of the chips:

WSON-8 chartSOIC-8 chart
SOIC-8 chart (left) - WSON-8 chart (right)

“How do you bridge these pins?” This is where the supplies you got earlier comes into play, as they’ll be how you can bridge these pins.

Take a piece of your conductive material and shape it into something that’s long enough to get to either side of the chip while being small enough to not make contact with multiple pins on either side of the chip. I cannot provide measurements as the chip size is different on each model.

Through using the charts listed above, look for the circle/indent on the chip so you can know where each pin is located. From here, take your conductive material and place one end on pin 3 (WP) and place the other end on pin 8 (VCC). MAKE SURE it’s making contact with the pins and IS NOT making contact with other nearby pins. You may place tape on top of the chip to keep the conductive material on the pins, but that’s if you have to.

Use the picture below to know where to put your conductive material and tape:

  • Green: Indent / Circle
  • Red: Conductive Material
  • Blue: Tape
WSON-8 bridgeSOIC-8 bridge
SOIC-8 bridge (left) - WSON-8 bridge (right)

Booting Into SH1MMER

After the pins are securely bridged, you may plug in the charger (or the battery) alongside all the other necessary cables and boot the Chromebook. Once it has booted, boot into SH1MMER as you normally would. Disable OS verification (blocked or not), boot into the “Insert Recovery Media” screen, and plug in your SH1MMER USB or SD card.

Enter the Utilities screen and run “Un-Enroll Device” (or “Deprovision Device” if Legacy). This won’t do anything currently, but it’s a necessary step. After that, enter the Bash Shell and then run the following commands. It should end up like the picture below:

  flashrom --wp-disable
  /usr/share/vboot/bin/set_gbb_flags.sh 0x8090 

If the commands fails here, you need to repeat the Bridging Pins instructions. However, if the command succeeds, then you may turn off the Chromebook, unplug the power source, and then remove the bridge. This is highly recommended to prevent any accidental damage.

Command Output
Command Output (Bash Shell)

Dealing With An Update

For those on v124 or newer, they changed cryptohome to device_management_client. However, this doesn’t remove FWMP due to “a weird quirk of the refactors” and will simply error upon running the command with —action=remove_firmware_management_parameters.

Instead, you’ll need to downgrade ChromeOS to v123 (or lower) with developer mode on to bypass the “ChromeOS is out-of-date” error. If you don’t know how to downgrade, below are instructions that I’ve made.

If recovery reports “An Unexpected Error Occured”, try a different version.

Downgrade Guide
Downgrading Guide (Utada Hikaru Discord)

Booting into ChromeOS

Reboot the Chromebook and get past the OS verification screen by pressing CTRL + D. After waiting 5 minutes and booting into ChromeOS, DO NOT PROCEED WITH THE SETUP SCREEN. Instead, enter the VT2 shell by pressing CTRL + ALT + F2.

Log into the shell as root and then run the following commands. It should end up like the picture below:

  tpm_manager_client take_ownership
  cryptohome --action=remove_firmware_management_parameters 
Command Output
Command Output (VT2 Shell)

Both the commands should report success, and if they do, that’s great! Simply exit out of the VT2 shell by pressing CTRL + ALT + F1, then powerwash the Chromebook by pressing CTRL + ALT + SHIFT + R. Once it’s powerwashed, you may go through the setup screen and it shouldn’t re-enroll anymore!

Closing Thoughts

I don’t know what to say except that I extremely do not recommend doing this. It’s a difficult process for new users that don’t know how to bridge pins, and it’s very easy to brick your Chromebook doing this.

There have already been reports of people bricking their Chromebook in servers like the SH1MMER Discord or the TitaniumNetwork Discord. These are because of bridging incorrect pins, bridging multiple pins, or many other reasons.

Note: Some of these reports don’t have any evidence, but it probably did happen.

TN DiscordSH1MMER Discord
SH1MMER Discord (left) - TN Discord (right)

All in all, just don’t do this shit. If your Chromebooks bricks, that’s on you. But if you do this and your Chromebook ends up being unenrolled, then congratulations. You took the risk for a huge reward, and now you can do whatever the hell you want on that Chromebook.

For me, I have OCTOPUS and JACUZZI Chromebooks which skipped kernver 2 and have write protection disabled, so I can just downgrade to v107 and unenroll with SH1MMER anytime I want.

Not like I’d ever do this myself anyways.