Skip to content
TitaniumNetwork

Sh1ttyExec

Sh1ttyExec is an exploit that can be used to enable running unverified recovery images
By lxrd

Steps

Section titled “Steps”
  1. Powerwash the device
  2. Start enrolling the device then open powerwash menu (ctrl+alt+shift+r) on the enrollment screen (not the please wait screen) and wait until it crashes back to OOBE
  3. Try enrolling again but the moment enrollment starts (the screen that says enrollment, not please wait) esc+refresh+power (it’s timing sensitive so don’t expect to get it first try), and you are done, block_devmode is set to 0 and you can do badrecovery unverified which can help facilitate exploits/unenrollments like quicksilver on devices that can’t boot Sh1mmer. To enter an unverified recovery image, press esc+refresh+power then ctrl+d and enter, esc+refresh+power again and plug in the USB drive.

Explanation: This is due to the fact that when you enroll you go through state determination and if you crash back to OOBE and try to enroll again, state determination happens a second time. As a result, it tries to clear fwmp but it can’t because the tpm is locked, however it does set block_devmode in vpd to 0. Shortly after, it sets it back to 1 but we can simply restart or enter recovery menu before it is able to. This allows us to boot unverified recovery images and gain/lead to code execution via badrecovery unverified.

Video tutorial:

https://drive.google.com/file/d/1Z4Lv82w_QGy-TTdSvdMAu0gf8NOJyKfx/view