Lenovo ThinkPad C13 Yoga Chromebook Enterprise Delete?

Hi,

This is my first post so please be gentle if I haven’t got this just right.

I have lots of experience building and repairing Windows PCs, but a Buddy offered me a Lenovo ThinkPad C13 Yoga Chromebook which has an Enterprise Chrome operating system. His wife was given it to recycle when an employee left her company. My Buddy thought maybe I could use it, as her company (a large local Teleco) won’t commit any of their IT resources to do anything with it. (She asked.) I guess they see it as disposable.

Well, I have zero Chromebook or Linux experience but I looked at it as an learning experience. I have already located & tried Sh1mmer and found an earlier Zork.bin image of the OS that isn’t an Enterprise Version. But Sh1mmer gives an error as I expect it has to do with the Enterprise enrollment which needs to be defeated.

As suggested on MrChromebox.net, I recently bought a Debug Cable as this is a CR50 device, but got no joy there either. Again, did get Sh1mmer to run with the cable inserted but the errors were still present.

I was able to see the Firmware log and it’s using Google_Morphius.13434.356.0 active Firmware. I did a memory and storage tests which passed. I was shocked to see that the Power On Hours were only 8! (I bet over half of them are from my mucking about.)

So I’m at a loss as to my next move. I’m not stuck on going to ChromeOS, although I though it would be interesting to try out if I can get this sorted. I have seen where some folks convert Chromebooks to run Windows or Linux => and maybe that would be an option?

I’ve heard there is a flag set in the security chip which tells ChromeOS it is supposed to complete re-enrollment before allowing a user to log in. Is there a way to Flash this to turn off the Enterprise sign in routine?

Can you point me in the right direction so I can avoid sending this to the Recycle Bin?

Thanks for the assist.

You wont have any luck flashing the bios from chromeos with enterprise enrollment. You could try to externally flash the bios chip, not sure if ee will cause problems there.

Are you able to enter Developer Mode?

If you are, then after unplugging the main battery, see if flashing the custom firmware is working?

Hi Gents,

Sorry for the delay in my response but I was getting too frustrated with my lack of progress to continue, so I put this aside for a few weeks.

I have been able to get into Developer Mode, and got Sh1mmer to run, but Enterprise Mode won’t let any changes be saved. I was not certain the Debug cable I purchased was doing anything as there’s no indication that it was working.

I’m not giving up on it, but the challenge is to find out how to remove /defeat the Enterprise Enrollment so it will become just a regular Chromebook.

I used the Chrome Recovery extension tool to create an image to wipe the unit. When it came to the login screen (even though it still says it’s managed by the Telecom.com), I tried my little used Gmail Account to sign in, and to my surprise I got it to boot, and all the default Google Apps were there. I skipped the ones it asks you about during set-up, as I have no clue about what’s useful in ChromeOS.

The Box still says it’s managed by the Telecom.com on the home / sign in screen, so that still needs to be dealt with somehow. I started trying the Debug Cable into different configurations as I was very uncertain if it even worked, as when you are in Developer Mode there’s no indication of it doing anything. But again to my surprise with the USB-C end plugged into the rear left slot, with the board upside down (I saw instructions advising for some Debug Cables / Board orientation can be critical) and the USB-A end in the next slot, ChromeOS “saw” the board and a little info box popped up.

So I think I know how the Debug cable can be plugged in to work. Now I just need to know how to move forward.

With the Battery plugged in, do I go into Developer Mode and get Shimmer Running and then plug in the Debug cable: Then use “Un-Enroll Device”?

I’m really just guessing here as I’m quite ignorant about ChromeOS and Linux.

Any guidance would be appreciated.

I believe it is impossible to use a SuzyQ to debug the CR50 when enrollment is active. However since you have successfully enabled developer mode you can probably try anyway. Are you running the commands to disable hardware write protect? Is that what’s not working?

That is expected, recovering from a recovery image does not remove enterprise enrollment.

A final note: During my (admittedly) very cursory glance of the sh1mmer website, I did notice that it says that it has been patched by Google since 113. The process for downgrading seems to only be supported on unenrolled Chromebooks. It would appear to be quite the catch-22 situation.

Thanks for the comments but at the Mr Chromebox site, they state the Lenovo ThinkPad C13 Yoga Chromebook is a CR50 unit, and it can be un-enrolled using a SuzyQ Debug Cable. Hence my purchase of the cable after trying all the other methods. The problem is I cannot find simple instructions on how to proceed. Mr. Chromebox focus seems to be on flashing the bios to enable the install of a different Operating System, but for now all I want is to simply disable Enterprise Enrollment.

I’m really just stumbling around using info from various sources to try to cobble together a solution. I am unable to get a Bash Terminal (reminds me of Command Prompt in Windows?) open without going into Developer Mode and the getting Shimmer to run.

Sh1mmer Screenshot1920×1440 215 KB

Once there I can run commands it seems, but nothing to change the bios settings as the Write Protection is fully enabled. (I’ve tried to run some commands.)

I somehow thought this wouldn’t have been such a struggle as IT departments have to Administer these units, and they won’t spend much time on low cost devices like this Chromebook. It’s just not cost effective. (That’s why I suspect this one was discarded by Telecom.com rather than put back into their pool of devices.)

If anyone has any answers or links to info, it would be appreciated.

You cannot unenroll a device using a SuzyQ. CCD is locked if the device is enrolled.

You can disable WP on your device by unplugging the battery and powering on with AC power.

The only way to remove enrollment is 1) have the admin remove it, 2) use an external programmer such as ch341a, or 3) sh1mmer but I have no experience with that and believe it’s not allowed here

That’s not what it says at all. It says it is a CR50 device so you can disable hardware write protection with CCD. As @Tim confirmed, you cannot use CCD to interact with the CR50 on an enrolled Chromebook.

The problem is I’m not really sure you know what you’re trying to do yourself. As far as I can kind of make out in the screenshot of sh1mmer’s output, it tells you to disable write protect. If you can disable write protection somehow (like we mentioned, you cannot use a SuzyQ to debug the CR50 when the Chromebook is enrolled), then I don’t think you need sh1mmer?

Yes. You’ll have to figure out for yourself whether it is possible to unenroll your Chromebook. Conventional wisdom suggests that it is 99% impossible, but I have no experience with sh1mmer and don’t know exactly what you’re doing.

Edit: removed inaccurate info

Thanks for your interest Gents.

On Mr. Chromebox it says: " * On all CR50 devices it is also possible to change the WP state using the closed-case debugging (CCD) features of the CR50, along with a special USB-C debug cable. See the CCD section below."

This is footnote #5 from the Table of Supported Devices which lists the Lenovo ThinkPad C13 Yoga Chromebook.

My problem is Enterprise Enrollment does not allow changes to the bios / operating system starting sequence, and upon boot, it is automatically pushing the User to it. I have read that once WP (Write Protect) is disabled you can change that Flag on the TPM chip using commands (like in Command prompt) on a “terminal” to disable Enterprise Enrollment. I have been able to write those commands in Sh1mmer via the Bash Terminal. The issue is I get a Failure when I try to change any of the set points (Flags). I therefore know WP is still enabled.

I don’t see why anyone would be concerned with my efforts on this Chromebook as this was going to the recycle or garbage bin before I got it. I’m just trying to make this useful once again.

The only way to disable WP on enrolled cr50 chromebooks is to short WP to VCC on the spi flash.

From there you can do whatever you want with shimmer.

You’re missing a key differentiating factor here. As multiple comments have now told you, you cannot use CCD to disable WP on an enterprise managed Chromebook. MrChromebox.tech is not a site for unenrolling Chromebooks, it is a site for flashing custom firmware so you can run Windows or Linux on a Chromebook. I believe you said this yourself in an earlier comment.

Then you know what your next steps are then.

I’m not sure who this is supposed to be directed at. We’ve been nothing but helpful and patient with you.

Also from MrCB’s site concerning Suzy q:

" IMPORTANT : These instructions do not apply to any device which is locked/managed – enterprise/edu enrollment locks out CCD functionality completely"

Good Morning Gents. If the attempt to use the CCD SuzieQ cable is doomed to failure, just how does one “short WP to VCC on the spi flash” as mentioned?

I’m not adverse to taking this Box apart to get it to work without Enterprise Enrollment.

Thanks for the assist.

Tim suggested discussing the use of Sh1mmer wasn’t allowed here. I don’t want to violate any rules here.

Hi again.

Today, mostly due to the comments above, I decided to try a different tactic.

Instead letting the Chrome Recovery extension tool walking me through the selection process for the recovery image based on the make /model I decided to try a Zork.bin image that I downloaded from the web months (?) ago. (According to properties it was last modified in July 2023) I used it in recovery mode to wipe the unit and install this ChromeOS with the Battery disconnected.

But before that, as described on Sh1mmer Me Unfog

In the Bash Shell, execute the following commands below:
/usr/share/vboot/bin/set_gbb_flags.sh 0x8090
tpm_manager_client take_ownership
chromeos-tpm-recovery

The first command isn’t necessary, but is highly recommended.

The commands should report “success” at the end

I then rebooted the box into recovery mode and launched Boot from External Disk.

At the end of the install (17 minutes or so) from the USB I get an authorization challenge with a Qr code that holds a Url that gives me an error as I don’t have access to. (I tried) I read about another user who had the same issue and he was able to solve it by shutting down, reconnecting the battery, and rebooting.

Of course that hasn’t quite been the same experience for me. When it reboots, it came up in Developer Mode and then I walk through signing in and it automatically updated the ChromeOS software to it’s latest version. I even got a Bluetooth Mouse to pair with it. I plugged in an external USB Hard Drive and it plays both MP3 & FLAC Tunes perfectly, plays movies, opens pdf files, etc.

I thought I was home free so I shut it down, but upon reboot it still comes up in Developer Mode. So I select Boot from internal disk and it works fine. As Boot from internal disk is highlighted if you just wait it times out ands boots from there. But I’d like to eliminate it going to the Developer screen with the Boot options.

I’m paranoid that if I select the Return to Secure Mode option, I’ll be back seeing the Managed by Telecom.com screen again. Do you have any tips on how to avoid this?.

Thanks for the assist.

Do you want to replace ChromeOS firmware with MrChromebox firmware and run Linux / Windows?

To be clear, this isn’t a sh1mmer support forum.

That’s looking like the only alternative. That or the Recycle Bin.

Do you have any insight on that?

Yes, I realize that. I’m just looking to figure out how to unenroll this Chromebook to make it usable. It can be using any tools out there - software or hardware.