kxtzownsu/Icarus-Lite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
cosmic 0f4de4c053
Update README.md
2025-03-07 15:58:29 -07:00
dmbackend
added dmbackend
2025-03-07 15:07:51 -07:00
LICENSE
Initial commit
2025-03-07 12:19:07 -07:00
main.py
Create main.py
2025-03-07 14:59:48 -07:00
README.md
Update README.md
2025-03-07 15:58:29 -07:00

README.md

Icarus-Lite

Icarus Lite is a lightweight and easy-to-use version of the ChromeOS unenrollment exploit known as Icarus, which unenrolls devices with device management interception using a proxy and a custom Certificate Authority.

Icarus Lite is based off the original Icarus code and works in the same way. Although the original Icarus is currently archived and no longer recieving support, Icarus Lite will be supported and updated.

Warnings

  • Icarus AND Icarus Lite only work on ChromeOS versions below 130. If you are above v130, please downgrade to use Icarus/Icarus Lite.
  • Icarus Lite has not been fully tested as of March 7th, 2025. If you encounter issues while using, please create an Issue.
  • Do not use any public Icarus proxies. Icarus can be used maliciously to remotely manage and track devices. Icarus Lite is intended to be simple to use, and self-hosting Icarus is heavily advised over using any public proxies.
  • Icarus Lite does NOT currently have functionality to build Icarus shims. Please download a prebuilt shim to use Icarus Lite, or refer an Icarus fork for information on manually building shims.

Setup Instructions

Windows

If you are on Windows, you can download a pre-compiled .exe version of Icarus in the "Releases" section of this repository. Alternatively, you can follow the Linux/Mac instructions below to manually build Icarus on your machine.

Linux/Mac

If you are on Linux or Mac (or wish to run Icarus Lite from its source directly on Windows), the below instructions will cover how to run Icarus Lite.

  1. Open a Command Prompt/Terminal window and run python --version and/or python3 --version. If the command is not found, install Python from python.org (or wherever/however is best for your OS/distro). Once Python has been installed, close and re-open a new terminal.
  2. Install the protobuf Python package, which can be done by running pip install protobuf and/or pip3 install protobuf. On some Linux distros (specifically in managed environments), pip may not work correctly, in which case you may need to use sudo apt install python3-protobuf.
  3. Run git --version. If the command is not found, install Git from git-scm.com (or wherever/however is best for your OS/distro). Once Git has been installed, close and re-open a new terminal.
  4. In whichever directory you want to copy Icarus Lite into, run git clone https://github.com/cosmicdevv/Icarus-Lite.git, then run cd Icarus-Lite.
  5. Run python main.py and/or python3 main.py.
  6. Icarus Lite will attempt to automatically set up the required file structure and download the latest SSL certificates from kxtz's Icarus fork.
Icarus Lite failing to download certificates? You will need to manually download the certificates from a proper source (recommended to use [kxtz's Icarus fork](https://git.kxtz.dev/kxtzownsu/httpmitm/src/branch/main/configs/m.google.com/public)) and place them into ``Icarus Lite/manualcerts``.

Usage Instructions

Once Icarus Lite is running, usage is extremely simple. Icarus Lite will attempt to automatically fetch your local IP when the Proxy Server starts, and will provide you with an IP and port to use. Using Icarus Lite on the target ChromeOS device is the same process as using normal Icarus assuming the device's Stateful Partition has already been modified by an Icarus shim. The target ChromeOS device should be on the SAME network as the device hosting the Icarus Lite server.

  1. After rebooting into ChromeOS verified mode following using an Icarus shim, do not click "continue". Instead, manually open the Network Configuration by clicking on the bottom-right icons which contain the time, WiFi, and Battery status. Once in Network Configuration, connect to your WiFi and enter the proxy settings.
  2. Set "Connection Type" to Manual
  3. Set the "Secure HTTP" IP address to the IP Icarus Lite gives you
  4. Set the "Secure HTTP" port to the port Icarus Lite gives you
  5. Click "Save"
  6. Resume the ChromeOS setup process as normal and Icarus Lite should unenroll you.
Device still enrolling/getting "Can't reach Google"? - Make sure that Icarus Lite is recieving and handling the ChromeOS device's requests; check the terminal/window where Icarus Lite is running for any output past "Icarus LITE is running on...". If nothing else has been output, it means Icarus Lite isn't recieving requests from the Chromebook and therefore is not handling them accordingly. In this case, re-run the Icarus shim and ensure: - The target ChromeOS device and the device hosting the proxy are on the SAME WiFi network - The shim used on the target ChromeOS device was built with the same CA (Certificate Authority) used to generate the SSL certificates. - If you're using a prebuilt shim and don't know what CA was used, consider building your own shim and SSL certificates if nothing else works.

Prebuilt Shim Downloads

Icarus Lite only replaces the server functionality of Icarus, but for Icarus to successfully unenroll a ChromeOS device, that device still must have had an Icarus shim ran on it. Icarus Lite does not currently have the functionality to build shims, so users must either use prebuilt shims or build their own shims from Icarus's original source. Instructions on building shims, along with a maintained fork of Icarus, can be found here.

For prebuilt shims, it is recommended to download them from the below servers:

Certificates

In order for the client (target ChromeOS device) to establish a proper connection to the MiniSever, we need an SSL certificate to establish the secure tunnel. If the SSL certificate is invalid, the target device will reject the connection (which in most cases will bring you to a "Cannot reach Google" screen). Icarus uses a custom CA (Certificate Authority) which isn't trusted to external devices, which also means any SSL certificates generated from our custom CA will also not be trusted to external devices. This causes most devices (including any ChromeOS devices) to reject the connection because of the untrusted CA.

This is why a user must run an Icarus shim on a ChromeOS device prior to using the Icarus Lite server for unenrollment; in the simplest terms, the shim makes the device trust the CA so that way the device won't refuse the connection to the MiniServer.

When a shim has been built using a different CA than the SSL certificates, the target device will still reject the connection. This is why if constantly getting a "Can't reach Google" screen, users should consider building their own shim and SSL certificates.

SSL certificates can be generated using generate_ssl_certificate.sh once a CA has been generated.

Future Updates

This section contains planned updates to Icarus Lite to improve functionality.

  • Shim building implementation

Credits

  • cosmicdevv - Writing and maintaining Icarus Lite
  • MunyDev - Discovering and creating original Icarus
  • Fanqyxl - new maintainer
  • kxtzownsu - Maintaining certificates Icarus uses
Description
https://github.com/cosmicdevv/Icarus-Lite
Readme GPL-3.0 221 KiB
Languages
Python 78.5%
Shell 21.5%