Pencil Method - Chrome OS Exploits

This can harm your Chromebook if done incorrectly. Perform at your own risk.

Unenrolling by bridging pins on the motherboard.

The proper guide was created by Darkn.

Conductive material (staple, tin foil, paperclip, etc.)

Scissors

Tape (optional, recommended)

USB drive or SD card with Sh1mmer flashed

Screwdriver corresponding to the screws of your Chromebook

With a screwdriver, remove each screw from the bottom of your Chromebook.
Disconnect the battery. The battery cable placement varies between models.
On the motherboard, find the 8-pin chip with pins sticking out or in. It likely has winbond or GigaDevice branding, and it may show 25Q64[xx] or 25Q128[xx] below the branding. It may be located on the back of the motherboard.
Shape a piece of your conductive material long enough to connect to both sides of the chip and small enough to not make contact with multiple pins on either side of the chip.
Place one end of the conductive material on pin 3 (WP). [SOIC-8] [WSON-8]
Place the other end of the conductive material on pin 8 (VCC). [SOIC-8] [WSON-8]
If necessary, place tape on top of the chip to keep the conductive material on the pins. [SOIC-8] [WSON-8]
Connect the battery.

Boot into Sh1mmer with the USB.
In the Sh1mmer menu, navigate to Utilities.
Select Un-Enroll Device. This is necessary even if the process fails.
In the Utilities menu, select Open Bash.
In the bash shell, run the following commands:
flashrom --wp-disable /usr/share/vboot/bin/set_gbb_flags.sh 0x8090
If the commands fail, the pins are not bridged correctly.
Reboot the Chromebook by pressing Refresh + Power .
Press Ctrl + D to bypass the OS verification screen.
Boot into Chrome OS.
Press Ctrl + Alt + F2 to enter the VT2 shell.
Log in to the shell as root.
Run the following commands:
tpm_manager_client take_ownership cryptohome --action=remove_firmware_management_parameters
Press Ctrl + Alt + F1 to exit the VT2 shell.
Press Ctrl+Alt+Shift+R.
Click Powerwash.