
How to liberate a Chromebook - octosphere
https://ar.al/2018/12/31/sometimes-you-have-to-stick-a-screwdriver-in-it/
======
sowbug
Or just follow Google's instructions if you want the same outcome without the
invective: [https://www.chromium.org/a/chromium.org/dev/chromium-
os/deve...](https://www.chromium.org/a/chromium.org/dev/chromium-os/developer-
information-for-chrome-os-devices/samsung-sandy-bridge).

~~~
cbhl
Having followed these instructions before, they're not quite suitable for
making a Chromebook run an alternative operating system for the average user.
A developer, sure. But every time you boot up the computer, you hear an
annoying beep and have to wait ten seconds, during which you're a few
keystrokes away from wiping the machine and restoring it to a pristine copy of
Chrome OS.

The reasons for this design are documented:
[https://www.chromium.org/chromium-os/chromiumos-design-
docs/...](https://www.chromium.org/chromium-os/chromiumos-design-
docs/developer-mode)

(Of note, the newer Chromebooks no longer require a physical hardware switch
or jumper to be toggled. The hardware folks said this was expensive, so newer
devices let you enter developer mode by holding the correct keys on boot.)

For now, if you truly want to give a Chromebook running another OS to someone,
you have to replace the EEPROM: [https://www.chromium.org/chromium-
os/chromiumos-design-docs/...](https://www.chromium.org/chromium-
os/chromiumos-design-docs/firmware-boot-and-recovery)
[https://www.chromium.org/chromium-os/chromiumos-design-
docs/...](https://www.chromium.org/chromium-os/chromiumos-design-
docs/verified-boot)

~~~
xg15
> _An attacker with physical possession of the device over an extended period.
> The attacker has access to tools including a soldering iron._

Yeah, if that is the vulnerability scenario they see necessary to "protect" me
against, it's pretty clear I'm not the owner of the machine. I think the anger
if warranted.

More broadly, I find the distinction between "normal users" and "developers"
in that article pretty telling. I guess the goal isn't anymore to make
everyone Computer-Literatur enough to run anything else than Chrome OS.

~~~
sowbug
You misread the document. You're quoting from the vulnerabilities section,
which lists scenarios that Chromebooks either do or do _not_ protect against
("We cannot prevent this attack").

------
sk0g
The tone of this article is off putting to the point of being unreadable, and
I'd say I'm more privacy conscious than the average technologist...

~~~
wishinghand
> The tone of this article is off putting to the point of being unreadable

Now who's exaggerating? I'm largely in the middle of privacy vs convenience
but I can get through the information just fine.

------
rixrax
I recently got a 2017 Google pixelbook to replace Razer stealth 2017 that I
unsuccessfully tried to replace 2017 MBP with.

Similar to OP (little less emotion maybe), I flashed coreboot[0][1] on it and
installed Ubuntu[2] (display brightness, audio doesn’t work so I have usb-c
audio adapter) - couldn’t be happier: keyboard is excellent, it’s light, it
was relatively inexpensive (for low end i7, 512gb , 16gb ram), it’s silent (no
fans), display is 3:2 aspect ratio (I think) and it’s not 4k, hardware feels
nice and solid. Other than audio issue, Ubuntu runs solid on it after some
tinkering. If you’re willing to tinker with it s bit - Google totally nailed
it on this![3]

[0] [https://www.coreboot.org](https://www.coreboot.org) [1]
[https://mrchromebox.tech](https://mrchromebox.tech) [2]
[https://www.reddit.com/r/elementaryos/comments/9vu3hm/juno_o...](https://www.reddit.com/r/elementaryos/comments/9vu3hm/juno_on_my_pixelbook_looks_amazing/)
[3] [https://www.google.com/chromebook/device/google-
pixelbook/](https://www.google.com/chromebook/device/google-pixelbook/)

~~~
marktangotango
Try the galliumos kbd file for media keys support:

[https://github.com/optio50/ChromeBook-Keyboard-
xkb/blob/mast...](https://github.com/optio50/ChromeBook-Keyboard-
xkb/blob/master/README.md)

------
StephenAmar
Says the guy sending the output of a curl into the laptop's firmware.

~~~
pnut
I cannot stop laughing at this comment.

------
elliotpage
To echo some of the other comments - this looks like a useful guide but the
attitude is atrocious. You only need to make your anti-google complaint once
and then move on.

------
bubblethink
The suggested coreboot distribution (johnlewis') is not maintained any more.
You should use use mr. chromebox's builds or build from source.
([https://doc.coreboot.org/distributions.html](https://doc.coreboot.org/distributions.html))

------
johnvaluk
I've updated the firmware on every ChromeOS device I've owned and installed
Linux. It's fun!!! But I've also restored some of them to factory condition
and given them away to friends or family who find it challenging to apply
regular security updates. It sounds like the author gave someone a broken
ChromeBook instead of giving her the freedom to decide how she wants to use
it.

~~~
saagarjha
Yeah, I hope he asked her what she wanted before forcing her to use that…

------
glup
To clarify, "How to liberate an _Intel_ Chromebook in ten easy steps." Older
ARM Chromebooks are doomed to a life of a corporate surveillance endpoint
unless you are willing to put in a huge amount of effort.

------
TheRealPomax
I can't tell if "if remove all /eight/ screws" is meant as a "look how few we
used back then" or as a "look how many screws that is!" comment. It's eight
screws. Even my ancient Dell Inspiron has more than that...?

~~~
Stratoscope
The very next sentence answers your question of why /eight/ is emphasized:

> _Four of the screws are hidden under the pads for the feet..._

~~~
TheRealPomax
How is that an answer? So does every other laptop I've ever owned that has
"feet" pads rather than shaped bits of chassis. That's like going "and then I
had to REMOVE the outlet part from the wall socket box so I could switch live
and ground!" as if that's somehow crazy unexpected.

~~~
raintrees
Maybe because some have never had the pleasure of taking apart modern
equipment and might consider resorting to force, without the knowledge of
those four other screws?

I consider it a helpful reminder to count to verify I have gotten them all.

------
classichasclass
Why is he running Chromium, then, after all that? Or am I misidentifying the
browser in the final screen shot?

~~~
sosodev
It's probably Chromium. GalliumOS defaults to Chromium with some fixes to make
it more Chromebook like.

------
charlesism
It would be nice if there were a link to purchase the right jumper. I'd rather
spend 50 cents, and permanently enable write access, than mess around with the
screwdriver.

~~~
TheRealPomax
Permanent write access to the chip that houses your bios? Do you want an
unremovable virus? Because this is how you get an unremovable virus. You want
to unlock that chip only for exactly as long as you are going to knowingly
change its data yourself, and then lock it right back up.

~~~
charlesism
Cheers. I hadn't thought about that. I just saw the photo, and it doesn't look
like a pleasant way to work. Screwdriver breaking something off, ESD, etc.

------
Havoc
>Pry open the lid by sticking a small flat-head screwdriver in and gently
moving it all around the edges.

Instead of a screwdriver, which can easily damage the casing, breaking a
washing line pin in half gives you a sturdy plastic object of right size for
the job that won't scratch stuff.

------
sosodev
I did something similar with my Chromebook. I flashed the bios and installed
Arch + Sway + GalliumOS patches. It's been a pretty stellar experience so far.

------
yingw787
Hmm.

I appreciate the sentiment behind the author's desire to do this. But I'm
wondering:

\- Did it void a warranty if it was still valid, and the tampering with the
case had damaged some hardware that the end user can't fix on her own?

\- Does the user require knowledge of GalliumOS, and understand that updates
may need to be pulled manually?

\- Can common college programs in her major be run on GalliumOS and on the
hardware defined by Chromebooks (low-end)? Can she run SSH to Linux or VNC for
Windows w/o difficulty?

I agree having one corporation say to the poor and the young and the otherwise
disenfranchised that a corporate, locked-down operating system is good for you
is not a great idea. It trades your freedom for convenience, and no matter how
appealing that may be for both parties (the end user for cheapness and ease of
use, and the corporation for not having to deal with the insanity and
unworkablity of some users), it's not a good tradeoff in the long run for
anybody, including the corporation that discovers too late that hiring the
same sheep it raised is bad.

But I don't think this is the right way to go about it. Shrieking the
principles of Stallman from a hill just makes you look like an old crazy
person. I personally didn't get to love Linux until I had a MacBook Pro, a
UNIX fork that works pretty nicely on a laptop, and moved slowly into Linux
until I prefer the CLI over GUIs for many things now. At every stage of my
transition, everything worked, and worked best for me, and I understood _why_
I needed to move further. Doing something like this and encountering issues
solved by ChromeOS may create a negative impression of Linux in a young mind,
which is the exact opposite of what you want to do.

As an alternative way forward, I installed Ubuntu on my parent's laptop after
Windows 10 kept freezing up on them. Yes, it has binary blobs and a
corporation runs it and whatnot, but it _works_ and it's still Linux.

My dad got a virus from downloading a YouTube video somehow, and I could fix
it because I could reinstall chrome using 'apt', and taught him how to use
'youtube-dl' instead (open terminal, paste, enter key). I don't think he cares
that it's Linux, but I do think he is happy it works and I can fix it when it
goes wrong.

You never want to do the right thing by going against the laws of power,
because that's how you end up as cannon fodder and a footnote in an moldy AP
compsci textbook somewhere.

------
saagarjha
If you’re willing to go halfway and live with the verification screen (which
doesn’t require opening up the computer), I wrote up a guide for dual booting:
[https://saagarjha.com/blog/2019/03/13/dual-booting-chrome-
os...](https://saagarjha.com/blog/2019/03/13/dual-booting-chrome-os-and-
elementary-os/). But back to the article, the author seems to fundamentally
misunderstand the reasons for the warning screens. They are there to alert you
if your system has been compromised; if you’re looking for the ability to
verify what you’re booting it’s either that or iOS where you can’t install
anything else at all. I think I vastly prefer the former option.

~~~
int_19h
Those are not the only two options available. They could also allow you to
provide your own signing keys, and then verify that whatever it is you're
trying to boot is signed with those.

~~~
saagarjha
That’s a valid option but I haven’t seen any consumer hardware implement this
properly. The issue seems to be that the ability to change signing keys makes
it possible to change them without the end user noticing. Unless Google had a
service that could deterministically burn your keys into the hardware at
manufacture time instead of their own I can’t see this working: can you think
of anything else?

~~~
int_19h
I don't see why it can't work if the only way to change them is through a
special UI at boot (the security of which can itself be protected with
hardware-assisted measures).

~~~
saagarjha
Because then other people can change the key without you knowing?

~~~
0815test
This is trivially avoided by adding a setup password. Additionally, the system
could display a hash of the keystore at boot - AIUI, Purism has worked on
something like that.

~~~
saagarjha
This doesn't help ordinary users who aren't going to check the hash at boot.

~~~
0815test
OK, so we're talking about users who have unlocked the system themselves and
enrolled a user key onto it, but aren't going to notice if it changes
unexpectedly? Suuure.

~~~
saagarjha
No, you also have to include users who would like to run "stock" Chrome OS and
continue trusting Google's keys. How do you protect them?

------
ocdtrekkie
I have an i5 Chromebox I got at I/O a number of years ago, and I was
considering doing something like this to make it useful. For the moment I
haven't put in the effort to tackle it yet.

------
wfh
Does GalliumOS auto-update, including security updates for all packages?

~~~
bubblethink
It's ubuntu based, but they use their own kernel. So you rely on their kernel
builds, which is not ideal. If your device is one that works well with
upstream kernel, you should just use a regular distro (or switch your
galliumos kernel to track the regular ubuntu kernel).

~~~
marktangotango
Galliumos is no longer under development see r/galliumos for more info. Ubuntu
18.04 works great, see my other link in this for how to enable media keys.

~~~
bubblethink
It seems like they are still active, although not quite as much. The stickied
post on that sub says so at least. The main draw for galliumos is support for
odd devices for which upstream support is lacking. That's kind of why it
exists, and I don't think things have changed materially for a lot of these
old devices. Going forward, things should be a bit better since chromeOS
itself tracks LTS kernel releases now, and I think they also plan to do kernel
upgrades over the life of a device.

------
clircle
I wonder if the person he gave the laptop to appreciated that he installed
Gallium OS. I bet Annie can figure her way around Chrome OS, not sure about
Gallium

------
teilo
Not all Chromebooks have a write-protect jumper like this. The HP Chromebooks
have a write-protect screw. Rather than jumping terminals, you remove the
screw.

------
ykevinator
Who is Annie? I hate when people write like this. Despite this, it's a great
technical piece.

------
bdz
I'm curious what are the 2GB RAM and the Celeron 867 good for in 2019. Apart
from text editing.

------
raintrees
"Screwdrivers for Freedom" \- A sentiment I can get behind...

------
cypherg
utter bollox

------
Tsubasachan
But why? Buy a cheap laptop, reinstall windows (acquire Enterprise LTSC),
profit. I rarely give the tech industry money.

~~~
TheRealPomax
I think you just made your own case for why to do this? Your solution costs
money, this guy's solution costs however much a few inches of clear tape
costs. Between the two "I rarely give the tech industry money" kind of
suggests you are on board with repurposing old tech rather than just buying
something new?

