Crosh Commands Hack On Mac

Posted on |

Warning: This document is old & has moved. Please update any links:
https://chromium.googlesource.com/chromiumos/docs/+/HEAD/developer_mode.md
Crosh Commands Hack On Mac

Production Chrome OS devices that are shipped from the factory are locked down and will not let you make changes to the software. This page describes how to enable developer mode and get root access to your system.

Enable Developer Mode

Crosh Tips and Cool Commands? Get a USB with at least 4 gigs of storage and put an Ubuntu ISO on it. Then you can use it to boot Ubuntu and bypass the excessive lockdowns placed on school computers. Screenshots on the Mac are pretty awesome, and there are three ways to take a screen shot with your Mac: Command + Shift + 4 and you’ll get a crosshair that you can drag with your mouse to capture exactly what you want. Command + Shift + 4 at the same time and then let them go, then hit the Spacebar.

Modern Chrome OS devices can be put into developer mode by pressing specific keys while Chrome OS is booting:

Caution: Modifications you make to the system are not supported by Google, may cause hardware, software or security issues and may void warranty.

NOTE: Putting your device into developer mode inherently makes it a little less secure. Specifically, it makes the “verified boot” that's built-in to your hardware a little bit more lax, allowing your hardware to run custom (non-Google-signed) images. It also gives you access to a “root” shell.

If you’re encountering issues putting your device into Developer Mode, it's possible that your device administrator has blocked Developer Mode access on your device. Please follow the link to read more details about blocked Developer Mode.

You can tell that you're in Developer Mode if you see one of these screens when you turn the device on:

Crosh commands hack on mac

Switch to Normal Mode

To restore your device to Normal Mode (i.e., disable Developer Mode), reboot your device and perform the following action:

  • Device with keyboard: Press the Spacebar at the firmware screen.
  • Devices without keyboard (tablet): Use the Volume-Up and Volume-Down keys to select the Enable OS Verification option. Press the Power button to confirm.

NOTE: If you‘ve made changes to the rootfs filesystem while in developer mode, you may have to use the recovery process to restore your device to its factory condition. However, as long as you don’t crack open the case, you shouldn‘t be able to do anything that can’t be undone by recovery (software).

Getting to a Command Prompt

If you‘re a Linux hacker, you probably know that Google Chrome OS is built on top of Linux and you’re wondering how you can jailbreak your device so you can get to a command prompt. It turns out: there's no need. The command prompt is built in to your device!

NOTE: Before following these instructions, remember to put your device into Developer Mode.

Get the Command Prompt Through VT-2

One way to get the login prompt is through something called VT-2, or “virtual terminal 2”. If you're a Linux user, this is probably familiar. You can get to VT-2 by pressing:

where the [ → ] key is the right-arrow key just above the number 3 on your keyboard.

Once you have the login prompt, you should see a set of instructions telling you about command-line access. By default, you can login as the chronos user with no password. This includes the ability to do password-less sudo. The instructions on the screen will tell you how you can set a password. They also tell you how to disable screen dimming.

In order to get back to the browser press:

where the [ ← ] key is the left-arrow key just above the number 1 on your keyboard.

NOTE: The top-rows of the keyboard on a Chrome OS device are actually treated by Linux as the keys F1 through F10. Thus, the [ → ] key is actually F2 and the [ ← ] key is actually F1.

NOTE: Kernel messages show up on VT-8.

Getting the Command Prompt Through “crosh”

An alternate way to get to a terminal prompt is to use [crosh]:

  1. Go through the standard Chrome OS login screen (you‘ll need to setup a network, etc) and get to the web browser. It’s OK if you login as guest.
  2. Press [ Ctrl ] [ Alt ] [ T ] to get the [crosh] shell.
  3. Use the shell command to get the shell prompt. NOTE: even if you set a password for the chronos user, you won't need it here (though you still need it for sudo access)

NOTE: Entering the shell this way doesn't give you all the instructions that VT-2 does (like how to set your password). You might want to follow the VT-2 steps once just to get the instructions.

Crosh commands hack on mac computer

If you want to get back to the browser without killing the shell, you can use [ Alt ] [ Tab ].

NOTE: You can create as many shells as you want with [ Ctrl ] [ Alt ] [ T ] again and another shell will be opened. You can [ Alt ] [ Tab ] between them.

Making Changes to the Filesystem

The Chromium OS rootfs is mounted read-only. In developer mode you can disable the rootfs verification, enabling it to be modified.

NOTE: If you mount the root filesystem in writeable mode, even if you make no changes, it will no longer be verifiable and you'll have to use a recovery image to restore your system when you switch back to normal mode. Auto updates may also fail until a full payload is downloaded.

To make your rootfs writable, run the following command from a shell on the device:

Then reboot. Your rootfs will be mounted read/write.

Specifying Command Line Flags for Chrome

  • Modify /etc/chrome_dev.conf (read the comments in the file for more details).

  • Restart the UI with:

Booting from USB or SD card

Crosh Commands Hack On Mac Free

Chromium OS can be installed on a USB stick or SD card, for example if you build it yourself. In order to boot these, you have to first enable booting from external storage by opening a shell and running the command crossystem deb_boot_usb=1. (Even though this only says USB, it will also work for SD cards.)

Afterwards, reboot the device and use the method appropriate for your device to trigger external storage boot when you see the developer mode boot screen.

Running an alternative bootloader (“legacy BIOS”)

You can install an alternative bootloader that may make it easier to boot other operating systems. This does not require you to disable firmware write protection (with its associated risks).

NOTE: Some Chrome OS devices may ship with one or more alternative bootloaders pre-installed. These are merely provided as examples of how to set up the alternative bootloader feature. They are not officially supported, usually not tested and may or may not work at all or do anything useful. The point of the alternative bootloader feature is just to allow users to install their own -- we may occasionally pre-install software if it is readily available, but we are not committing to test and maintain it or to provide the same set across all platforms.

You can also find ready-made alternative bootloaders to install on third-party community sites such as mrchromebox.tech. Note that these sites are not affiliated with Google or the Chromium OS project and we are not responsible for any issues or damages arising from them. Use at your own risk.

Alternative bootloaders must be packaged as a coreboot payload and installed in the RW_LEGACY section of the firmware flash. You can read out the flash and print the contents of this section by opening a shell and running

If you see a file called altfw/list in this output, you have a 2019+ platform that supports having more than one alternative bootloader installed at the same time. Otherwise, you can only install a single bootloader that must be called payload. In that case you may need to remove an already installed bootloader via cbfstool /tmp/bios.bin remove -r RW_LEGACY -n payload to make room.

The new bootloader you want to add should be formatted as an ELF file. Make sure that the entry point information in the file is correctly set and that it contains code able to run in a firmware environment (i.e. no operating system support, nothing set up other than what coreboot usually provides to its payloads). Then add the file via

On an older platform make sure the name is payload and you're done. On a newer platform, you can choose any name you want but you need to enter it in the bootloader directory file. Extract this file with

and edit /tmp/altfw.txt with a normal text editor (e.g. nano). The file contains one line per bootloader with the following values separated by semicolons:

  1. Number of the bootloader in the developer mode menu (0 through 9)
    • NOTE: The bootloader number 0 is always the “default” that will boot if dev_default_boot=legacy is set and the developer boot screen timer runs out.
  2. Name of the bootloader in CBFS (i.e. the -n parameter to cbfstool)
  3. Name of the bootloader that shall appear in the developer mode menu
  4. Comment field for more detailed description (not used by firmware)

Add a line for the bootloader you just added, save the file, then replace the file in CBFS with the updated version via

Crosh Commands Hack On Mac Computer

You may also want to delete the cros_allow_auto_update file, if present. This will prevent future Chrome OS system updates from overwriting the alternative bootloader section after you modified it:

Crosh Commands Hack On Mac Os

Finally, you must write the modified CBFS section back to the firmware flash and tell the firmware to enable the alternative bootloader feature:

Now you can reboot and use the method appropriate for your device to run your alternative bootloader when you see the developer mode boot screen.