ICARUS

What is ICARUS?

ICARUS is an exploit for Chrome devices which allows people to unenroll devices with device management interception using a proxy and a custom Certificate Authority.

WARNING: Never use public proxies for ICARUS. Always self-host to avoid security risks. Do not use a third-party server since they CAN remotely access your chromebook, remotely enroll you into their domain, giving them your IP and other info, and everything that Google can do like wipe your chromebook and other things.

What is ICARUS-Lite?

The original dev team had stopped maintaining ICARUS, cosmic, along with the help of others has stepped up to help.

Repo: https://github.com/cosmicdevv/Icarus-Lite/
A Python-compiled version of httpmitm.
Includes QoL features like an auto cert updater.
Compatible with Windows.
More info available on its repo (star it to be cool!).
Maintained by Cosmic.
ICARUS-Lite does NOT currently have functionality to build Icarus shims. Please download a prebuilt shim to use ICARUS-Lite, or use ICARUS-Revived.

What is ICARUS-Revived?

ICARUS-Revived is essentially a maintained version of the original repo with new certs and other stuff, but the server code is still broken. Use ICARUS-Lite for the server.

Repos:

What you need/Requirements

A Chromebook atleast on kernver 4 or below, as well as being on 125-130 (I recommend downgrading to v125)
A personal device like a windows/mac/linux laptop
A USB drive / SD card greater than around 8GB; used to boot the modified shim
A router and an internet connection; so that you can host the proxy
A brain

Building an ICARUS modified shim

Clone either fanq's repo or kxtz's repo (for this guide i will be using fanq's repo) and set up the environment (Make sure you have python3, python3-venv, and protobuf installed beforehand) :

Clone the github repostiory: git clone --recursive https://github.com/fanqyxl/icarus
Change the directory to ICARUS: cd icarus
Setup the Python Virtual Environment: make setup-venv
Enter the Virtual Environment: make enter-venv
Setup Python: make setup-python
Build the packed data: make build-packed-data

Ensure Chrome's PKIMetadata component is up to date but below version 2000:

Open Chrome on your build machine and go to chrome://components.
Press CTRL + F and search for "PKIMetadata".
Click "Check for Updates" and ensure it is up to date but below version 2000.

Generate the PKIMetadata:

bash get_original_data.sh
bash make_out.sh myCA.der

Modify the shim with the generated PKIMetadata:

bash modify.sh <shim path>

Flashing a prebuilt shim

Go to one of these file hosts:
- fanqyxl's file host
- kxtz's file host
and download a prebuilt shim for your corresponding board.
Flash the shim to a USB not and SD card since they often have issues, if you don't know how to flash it's in the Troubleshooting section.

Booting the shim

Now boot the shim, and ICARUS will attempt to modify your stateful partition. It should say Finished Click Enter to Reboot, which you will click enter, and everything SHOULD go smoothly

Steps on how to boot a shim:

Get to the recovery screen by pressing Esc+Refresh+Power
Once you get to the recovery screen, press Ctrl+D
It's going to try to make you go back to Secure Mode (It's going to turn off and open up a gray screen), ignore this and press Esc+Refresh+Power once more
You should be in developer mode and on the recovery screen, now plug in your USB and it should boot the shim!

Various errors you may encounter

If it gives you a Failed to modify stateful error, simply plug the USB in a different port, if your using a sd card, use a USB
If you get a cros_debug error, simply retry and it should work

Server Setup

Use Icarus-Lite for this, which has been tested on all operating systems.

Windows Instructions

Go to Icarus-Lite's latest releases
Download the exe
Run the exe
follow instructions ICARUS-Lite gives you and it'll tell you IP and port to use. If it doesn't work check the ICARUS-Lite repo's README.md

Linux/Mac OS Intructions

make sure you the following installed ==> python, git

clone github repo with git clone https://github.com/cosmicdevv/Icarus-Lite.git
change directory to it by cd Icarus-Lite
install all python package dependencies by pip install -r requirements.txt (if this doesn't work look at the Linux/Mac Instructions here)
Run the main python file by python main.py
ICARUS-Lite will attempt to automatically set up the required file structure and download the latest SSL certificates from kxtz's Icarus fork.
follow instructions ICARUS-Lite gives you and it'll tell you IP and port to use. If it doesn't work check the ICARUS-Lite repo's README.md

Public servers

you should never use public servers, use this as a last ditch if you can't get the server running or if you don't have a device to host on

fanq's server
IP: 108.46.248.129
PORT: 8126
kxtz's server
IP: 172.93.103.55
PORT: 8126
cosmic's server
IP: 146.190.59.243
PORT: 8126

Once the chromebook reboots after booting the shim, and your at the Welcome! screen, don't proceed, do the following:

Click Shift+Alt+S , It should open up a menu
Connect to WiFi from there.
Edit proxy settings by clicking on wifi once more (A popup should show up).
Set proxy settings to manual.
Set Secure HTTP IP to the IP of your proxy server (local ip if it's hosted on localhost). The port will 99.9% be 8126 unless you changed it
Resume setup and your chromebook will unenroll.

Troubleshooting

Q: My device says "Can't reach Google"!

Ensure both the device and server are on the same network.
If that didn't work, powerwash your device, re-run the modified shim, and keep the server running.
Make sure that ICARUS-Lite is recieving and handling the ChromeOS device's requests; check the terminal/window where ICARUS-Lite is running for any output past "ICARUS-Lite is running on...". If nothing else has been output, it means ICARUS-Lite isn't recieving requests from the Chromebook and therefore is not handling them accordingly. In this case:

Re-run the Icarus shim and ensure the target ChromeOS device and the device hosting the proxy are on the SAME WiFi network.
Ensure the shim used on the target ChromeOS device was built with the same CA (Certificate Authority) used to generate the SSL certificates

If you're using a prebuilt shim and don't know what CA was used, consider building your own shim and SSL certificates if nothing else works.

It is also important to note being above ChromeOS v130 or below ChromeOS v125 will cause the target ChromeOS device to reject the connection to the MiniServer, causing the "Can't reach Google" screen.

Q: How to Flash a USB/SD card?

Get Balena Etcher (i personally recommend), rufus, or Chromebook Recovery Utility
Then simply follow the instructions provided on the website, or simply ask chatgpt.

Q: How to check your kernver

Kernver - ˈkɝːn.vɚ : noun | Kernel Version; determines what version you can downgrade until; see KVS
You can check your kernver by going to the recovery screen - Esc+Power+Refresh and then pressing Tab
You are looking under TPM it should say something like kernver=0x00010004; In my case it's kernver 4 since thats the number it ends in

Credits

MunyDev - Lead developer of ICARUS

Xmb9 - Script improvements

r58Playz - General enhancements

Akane - SSL support and guidance

cosmicdevv - Writing and maintaining ICARUS-Lite

kxtzownsu - Maintaining certificates Icarus uses

fanqyxl - Emotional support + keyrolling his chromebook lol

AC3 - Helping in times of depression and desperate needs

T3RM1N4L - Making the website