School Controls (Blockers, etc.)

A place where you don’t have to live by the restrictions of a screen.

▶ Proxies

If any of these links don't work for you, or you want to suggest links, join the discord.

▶ NebuliOS

▶ Vapor

▶ Nano

▶ Utopia

▶ Rammerhead

▶ Interstellar

▶ Pastebin

https://pastebin.com/5pDP2SsS

▶Unblocked Games (local files)

Go to this link
Pick a game
Download from Drive
Open File
(Note that file links can be blocked)

▶Make your own Proxy link (Github)

Go to the links below depending on which proxy you would like to host, and hit the green button saying "Code" then click "Create codespace on main"
In the terminal at the bottom, paste pnpm i && pnpm start
Respond to the popup in the bottom right corner by clicking "Make Public"
Access the deployed website from the ports tab
For subsequent uses in the same codespace, just run pnpm start
Interstellar
Ultraviolet
Doge Unblocker

▶Make your own Proxy link (Censor Dodge)

Go to this link here
Find the “One-click Proxy setup” at the top bar or you can scroll down to it.
Enter your own customized name and select whichever domain you want to host it under, then hit “Setup Proxy”
Hit “Open your proxy” then enjoy!
(Sometimes the link is down sometimes it’s up idrk)

▶Bookmarklets

(Note that the school may have blocked several permissions and/or factors and that's why these are not working.)

HOW TO USE:

Find a bookmarklet that you would like to use from below
Click the hyperlink, then copy It
Bookmark this page, then edit the bookmark
Then replace the URL field with your copied code
Enjoy!

▶"about:blank"er

javascript:(function () {var url = prompt("Type the link to the page you want embeded into an about:blank page.", "https://os.nebulilabs.xyz/main.html"); var urlObj = new window.URL(window.location.href); win = window.open(); win.document.body.style.margin = "0"; win.document.body.style.height = "100vh"; var iframe = win.document.createElement("iframe"); iframe.style.border = "none"; iframe.style.width = "100%"; iframe.style.height = "100%"; iframe.style.margin = "0"; iframe.referrerpolicy = "no-referrer"; iframe.allow = "fullscreen"; iframe.src = url.toString(); win.document.body.appendChild(iframe); var script = win.document.createElement("script"); script.src = console.warn( "%cNote!", "color: purple; font-weight: 600; background: yellow; padding: 0 5px; border-radius: 5px", "code fr" ); document.addEventListener("DOMContentLoaded", function() { const ad = document.createElement("script"); ad.setAttribute("async", ""); ad.setAttribute("src", "https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3723218062742398"); ad.setAttribute("crossorigin", "anonymous"); document.head.append(ad); const stats = document.createElement("script"); stats.setAttribute("defer", ""); stats.setAttribute("data-domain", "3kh0.github.io"); stats.setAttribute("src", "https://stats.senty.com.au/js/script.js"); document.head.append(stats); });; win.document.body.appendChild(script); })();

▶Car Axle (Browser)

To big lowkey

▶Template #3

add shi here

▶Template #4

add shi here

▶Template #5

add shi here

▶Br0ker

Only works on v132

Downgrade to v132.
See SH1MMER for booting into…SH1MMER.
Run the Br0ker payload.
Wait until the "Get Started" button appears, then enter Dev Mode again.
Follow the persistence instructions here. You do not have to follow these if you're using BadBr0ker.
Enable "MAC Address Randomization" in chrome://flags to cloak yourself.

▶CAUB

Patched on Chrome OS v128+

Go to chrome://network#state & scroll to the bottom.
Click the "+" by the name of the Wi-Fi network.
Copy the whole page (Ctrl+A then Ctrl+C).
Go to caub.glitch.me & paste it into the text box.
Click "generate onc" & download the file.
Go to chrome://network#general & import the onc file.

▶ExtHang3r

Succeeded by ExtPrint3r; Patched on Chrome OS v135+

Go to this website link.
follow the instructions on the page (instuctions below)
(click hang for the extension, wait for it to finish, then click kill, and in a new tab, go to extensions, then click the three dots button to the side to click manage extension (the page isn't blocked as GoGuardian is in this state), then click allow access to file URLs twice, it should now be safe to close the extensions page and the tab with the ExtHang3r code, and for me, this only works for like 10-20 minutes, but there is a lot you can do in that time.)
If the link is blocked, put the link in a source code reader

▶ExtPrint3r

Patched on Chrome OS v135+

Open this link.
Look for your blocker on the list. If it isn't there, toggle "show all extensions" in the settings.
Click disable & follow the directions on the popup window. You'll need to do it very quickly.
If the extension switches back on, increase the iframe slider in the settings

▶Hartools

Patched on Chrome OS v129+

Download this file.
Go to devtools://devtools/bundled/inspector.html.
Once it loads, add "?experiments=true" to the end of the URL.
On the inspector page's sidebar, click the 2 arrows & select "Network".
Upload the har har file.
Double click the text that appears in the box.

▶Games in Canvas

Go pick a game from here and download it
Go to canvas, and click on your profile picture
Click “Files” then “Upload”
Upload the game file, and then open it
Enjoy! (Note: Embeds can be blocked)

▶LTMEAT

Patched on Chrome OS v114+

Take chrome-extension://ID/manifest.json & replace "ID" with the extension ID. This is the extension's manifest page.

You can find your extension’s ID in the URL bar of chrome://extensions after clicking “more details”.

Go to the extension’s manifest page & bookmark it (A), as well as chrome://kill (B) & chrome://hang (C).
While on (A), click on (B).
Instantly start spamming (C) & reload.

▶RigTools

Patched on Chrome OS v129+

Go to: devtools://devtools/bundled/devtools_app.html
Go to: devtools://devtools/bundled/devtools_app.html?experiments=true&wss=yomamafrfr.up.railway.app
Click the “Network” tab
Double Click the gray box
Click {Blocker} icon
Click the SWAMP button on the top left
Enjoy!

▶SH1MMER

Exploit itself patched on v112+

Find your Chromebook’s board name by going to chrome://version. It will be behind “stable-channel”.
Download your board's RMA Shim at cros.download & then inject the bin at Wax4Web, download an injected bin from here, or build one yourself.

Modern shims have a UI, while Legacy uses a command line interface.

Flash the injected bin onto an external storage device.

You can do this with tools such as Rufus, DD, Chromebook Recovery Utility, & much more.

Enter Recovery Mode (Esc+Refresh+Power), then enter Dev Mode (Ctrl+D).
Reenter Recovery Mode, then plug your shimmed storage medium into your Chromebook.
Run "Deprovison Device".

Alternatively, you can run the Cryptosmite payload (patched on kernver 3+) or the Br0ker payload (v132 only).

Enable "MAC Address Randomization" in chrome://flags to cloak yourself.

▶sh1ttyOOBE

Only works on v135-7

Downgrade to v135-7.
Powerwash your Chromebook, then on the "Welcome to your Chromebook" screen wait until you see the "Quick set up with Android" button. DO NOT click "Get Started" if it doesn't show immediately.
Press Ctrl+Shift+R & click "Cancel".
Click "Enter your google account email & password" & it should say to "Connect to a network".
Open quick settings & connect to a network.
Enable "MAC Address Randomization" in chrome://flags to cloak yourself.

After signing in you can sign out, which will return you to the welcome screen. From here, proceed with OOBE & sign in with the same email, then when you sign in it will hang on the "Please wait" screen. Afterwards, simply restart or press Alt+Volume Up+X to return to the lockscreen. This will persist until the next powerwash.
After gaining persistence via the above instruction, you can simply boot modified recovery images in unverified Recovery Mode.

▶SKIOVOX

Patched on Chrome OS v119+; methods for v125-6/v141

Find a website kiosk (one that shows the URL while it's loading.)
Find some way to navigate to a search engine, such as a webview exploit.
Copy this HTML code to your clipboard: <script>&window.open("javascript:alert();");</script>
Paste the code into a live code editor

Common webview exploits:
Google Privacy & Terms: Scroll all the way down & click the grey Google hyperlink. Google captchas have a hyperlink to this page.
Cross Site Scripting: a lot of school shit is badly designed, so it may be open to XSS.

▶UpDAUB

NOT PATCHED

Access a shell (via methods such as SH1MMER or BadApple).
Run the following (3rd will open a prompt):

cgpt add /dev/mmcblk0 -i 2 -P 10 -T 5 -S 1

fdisk /dev/mmcblk0

{just press enter}

{just press enter}

mkdir /stateful

vgchange -ay

mount /dev/{output of vgchange -ay}/unencrypted /stateful

rm -rf /stateful/*

umount /stateful

▶Disable ContentKeeper Permanently (Not Tested)

Sign Out

Press [Shift]+[Alt]+[Ctrl]+R to power wash

Click “Reset Device”

Open “Play Store”

Look for “CK Cloud”

When it tries to install, Click “Cancel”

Make the screen visible but open “Chrome”

Let ContentKeeper Initialize

Keep Clicking “Cancel” for about 30 minutes (There will be about 5 trials with 30 seconds in between but the 5th will happen 20 minutes after)

Enjoy

▶(History Hiding) Search engines

SearXNG (search anything without appearing in your history)
PrivacyWall (Has hidden preview mode, its a still png not useless but useful, does appear in your history)
StartPage (Has an anonymous view feature that doubles as proxy AND has is hidden in your history)

▶Eduphoria WebView

Click the “Eduphoria” logo in the top left
Scroll down and Click the “Youtube” logo
Click “Sign In”
Click “Help"
Click the 9 dots
Click “Search”
Enjoy

▶Securely bypass (Pretty risky, unrecommended, & probably patched)

Inside the Securly Code there’s a line that says any URL with inside the name suicidepreventionlifeline.org will be allowed. This with this theory we could use it like this:

(For Example) discord.com → discord.com/?suicidepreventionlifeline.org
This should theoretically be unblocked BUT the teachers can still see your screen and maybe with the “suicide prevention” thing could scare them.

Overall: 3/10 bypass

Im still going to keep the lifeline link clickable if someone needs it