Br0ker - KV5 unenrollment
This exploit requires you to be on r132 or lower. I recommend that you downgrade using an image from cros.download. If you're on kernver 5, you'll need to use a r132 LTS-channel image, e.g. for platform version 16093.109.0.
You can also bundle the update payload with Sh1mmer if you build it manually, explained below. This will automatically downgrade your device to a vulnerable version. Otherwise, skip to the "Usage" section.

Building Sh1mmer with an update payload
Note that the web builder cannot be used to build shims with update payloads.

1. Get Sh1mmer
git clone https://github.com/MercuryWorkshop/sh1mmer

2. Download the update for your board (it may ask you to install dependencies)
cd sh1mmer/wax
bash update_downloader.sh <board>
(Replace <board> with your board (lowercase). Currently most common boards are supported. Ping me if you want me to add another board.)
The downloaded update files will now be located in sh1mmer/wax/mounted_payloads/updates/16093. You may want to delete these when you're done building your shim, as they will automatically be built into any shims you build in the future otherwise.

3. Build Sh1mmer with extra space
sudo bash wax.sh -i <raw_shim.bin> -s 2.0G
(Replace <raw_shim.bin> with the raw shim bin file for your board, downloadable from cros.download. You may also need more than 2.0G of space.)

Usage (Sh1mmer only)
Simply navigate to the payloads selector and select "Br0ker". Be sure not to unplug the USB drive until Br0ker is finished.

Usage (BadApple + Sh1mmer) (untested)

1. Enter BadApple

2. Plug in Sh1mmer USB drive

3. Find your USB drive device
ls /dev/sd*
You should see a list of /dev/sdXn devices, take note of what X is for you.

4. Run these commands
mkdir -p /mnt/sh1mmer
mount -o ro /dev/sdX1 /mnt/sh1mmer
sh /mnt/sh1mmer/root/noarch/payloads/br0ker.sh
(Be sure to replace the X in the second command with your X value from above.)

Usage (Sh1ttyOOBE + recovery image + Sh1mmer)

Currently this requires you to prepare an unverified BadRecovery image.
These steps are the same as with BadApple, except instead of step 1, use these steps:
1. Perform Sh1ttyOOBE (you need to be on r135-r137 for this part)

2. Enter unverified BadRecovery (ignore any errors, just wait for the shell)

3. Once it fully loads, unplug the USB drive you used for BadRecovery.

4. Continue with step 2 in the BadApple section above.

Usage (Sh1ttyOOBE + badbr0ker)

Thanks to con for making this: https://github.com/crosbreaker/badbr0ker
Use Sh1ttyOOBE and then follow the directions at the link above.

Unenrollment

Once you are in the Br0ker script, it will ask you to confirm. Press "y" and then enter.
It may take a while for it to install the update on your device. Once it is complete, press enter again and the device will reboot into verified mode.
Once you're in verified mode, wait for the "Get started" button to appear. Once it does, go back into developer mode.
At this point, you're technically unenrolled. You'll probably need to do a few more steps before you sign in, so follow the guide in ⁠Avoiding accidental re-enrollment
If you can boot Sh1mmer, your easiest option may be to use the "Reset kernel rollback version" payload, and then downgrade to r124. 

