BadApple - unenrollment via icarus / code execution on keyrolled devices. [below chromeOS 132]
Patched around KV5 

Notes:
-> This allows you to run Cryptosmite, Icarus and DAUB on your keyrolled device. It also allows for the pencil method too.

-> This is code execution in developer mode in recovery mode. This is an exploit that has the same capabilities as SH1mmer, except that the TPM is disabled. 
   Why? Refer to this: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/depthcharge/src/vboot/load_kernel.c;drc=081580ab61e5b5d4df9389bfe3f9f8891a950c9a;l=116

-> This exploit is only intended for boards that have been keyrolled. e.g. nissa.

-> If you don't have disk layout v3 (boards made after 2021), you can't do this exploit.

Instructions:
1. Enter developer mode with ESC+REFRESH+POWER and CTRL+D.
2. When you reach the block screen, press ESC+REFRESH+POWER again.
3. Select Internet Recovery.
4. When miniOS loads in, press CTRL+ALT+F3 (open the VT3).
5. You now have a shell that you can type stuff in.
If the screen is blank, you will have to try to select Internet Recovery (old) instead of Internet Recovery on step 3.

Why does this work?
-> When you enter developer mode, cros_debug is flipped to 1 in crossystem's logic
-> The devs forgot that the recovery initramfs should always be trusted, whether in developer mode or not.
-> So they just put code in miniOS where if cros_debug == 1, to open a shell in the VT3.
-> Because of Google's oversight, we have a shell in the VT3 whilst enrolled.

Exploit support:
✅ icarus https://github.com/applefritter-inc/BadApple-icarus (uses updated certs generated by kxtz, cosmic and fanq)

Credits
appleflyer
Titanium Network

https://github.com/applefritter-inc/BadApple
APPLEFRITTER INC: https://discord.gg/V8nGYyJRRC
